Browse files

SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_es…

…cape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()
  • Loading branch information...
1 parent b37836f commit ca7878453f7b30305e0c703f9cdebfe7c04de017 @chillu chillu committed Sep 15, 2011
Showing with 16 additions and 2 deletions.
  1. +1 −2 core/Convert.php
  2. +8 −0 core/model/Database.php
  3. +7 −0 core/model/MySQLDatabase.php
View
3 core/Convert.php
@@ -104,9 +104,8 @@ static function raw2sql($val) {
if(is_array($val)) {
foreach($val as $k => $v) $val[$k] = self::raw2sql($v);
return $val;
-
} else {
- return addslashes($val);
+ return DB::getConn()->addslashes($val);
}
}
View
8 core/model/Database.php
@@ -112,6 +112,14 @@
protected abstract function tableList();
/**
+ * Returns an escaped string.
+ *
+ * @param string
+ * @return string - escaped string
+ */
+ abstract function addslashes($val);
+
+ /**
* The table list, generated by the tableList() function.
* Used by the requireTable() function.
* @var array
View
7 core/model/MySQLDatabase.php
@@ -400,6 +400,13 @@ function databaseError($msg, $errorLevel = E_USER_ERROR) {
user_error($msg, $errorLevel);
}
+
+ /*
+ * This will return text which has been escaped in a database-friendly manner.
+ */
+ function addslashes($value){
+ return mysql_real_escape_string($value, $this->dbConn);
+ }
}
/**

0 comments on commit ca78784

Please sign in to comment.