SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_es…

…cape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()

core/Convert.php

@@ -104,9 +104,8 @@ static function raw2sql($val) {
 		if(is_array($val)) {
 			foreach($val as $k => $v) $val[$k] = self::raw2sql($v);
 			return $val;
-
 		} else {
-			return addslashes($val);
+			return DB::getConn()->addslashes($val);
 		}
 	}
 

core/model/Database.php

@@ -111,6 +111,14 @@ protected abstract function fieldList($table);
 	 */
 	protected abstract function tableList();
 
+	/**
+	 * Returns an escaped string.
+	 *
+	 * @param string
+	 * @return string - escaped string
+	 */
+	abstract function addslashes($val);
+
 	/**
 	 * The table list, generated by the tableList() function.
 	 * Used by the requireTable() function.

core/model/MySQLDatabase.php

@@ -400,6 +400,13 @@ function databaseError($msg, $errorLevel = E_USER_ERROR) {
 
 		user_error($msg, $errorLevel);
 	}
+
+	/*
+	 * This will return text which has been escaped in a database-friendly manner.
+	 */
+	function addslashes($value){
+		return mysql_real_escape_string($value, $this->dbConn);
+	}
 }
 
 /**