diff options
| author | Dries Buytaert <dries@buytaert.net> | 2011-05-22 09:08:19 -0400 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2011-05-22 09:08:19 -0400 |
| commit | 5dbe8aa92b9e746962b43f9a24b10d7f9616d232 (patch) | |
| tree | 3a99baca5a9f27bb3914ef9ee082eb4d2d6d84fc /includes/database/database.inc | |
| parent | c88f2e0188e48f4c4adfb101d70733a0b27d4685 (diff) | |
| parent | 267b9c435c5d7266f4ce674b84d95bfe1f5a0920 (diff) | |
| download | brdo-5dbe8aa92b9e746962b43f9a24b10d7f9616d232.tar.gz brdo-5dbe8aa92b9e746962b43f9a24b10d7f9616d232.tar.bz2 | |
Merge branch '7.x' of git.drupal.org:project/drupal into 7.x
Diffstat (limited to 'includes/database/database.inc')
| -rw-r--r-- | includes/database/database.inc | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/includes/database/database.inc b/includes/database/database.inc index 4539b37a7..4cc1a33d7 100644 --- a/includes/database/database.inc +++ b/includes/database/database.inc @@ -541,6 +541,63 @@ abstract class DatabaseConnection extends PDO { } /** + * Flatten an array of query comments into a single comment string. + * + * The comment string will be sanitized to avoid SQL injection attacks. + * + * @param $comments + * An array of query comment strings. + * + * @return + * A sanitized comment string. + */ + public function makeComment($comments) { + if (empty($comments)) + return ''; + + // Flatten the array of comments. + $comment = implode('; ', $comments); + + // Sanitize the comment string so as to avoid SQL injection attacks. + return '/* ' . $this->filterComment($comment) . ' */ '; + } + + /** + * Sanitize a query comment string. + * + * Ensure a query comment does not include strings such as "* /" that might + * terminate the comment early. This avoids SQL injection attacks via the + * query comment. The comment strings in this example are separated by a + * space to avoid PHP parse errors. + * + * For example, the comment: + * @code + * db_update('example') + * ->condition('id', $id) + * ->fields(array('field2' => 10)) + * ->comment('Exploit * / DROP TABLE node; --') + * ->execute() + * @endcode + * + * Would result in the following SQL statement being generated: + * @code + * "/ * Exploit * / DROP TABLE node; -- * / UPDATE example SET field2=..." + * @endcode + * + * Unless the comment is sanitised first, the SQL server would drop the + * node table and ignore the rest of the SQL statement. + * + * @param $comment + * A query comment string. + * + * @return + * A sanitized version of the query comment string. + */ + protected function filterComment($comment = '') { + return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment); + } + + /** * Executes a query string against the database. * * This method provides a central handler for the actual execution of every |