summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
Diffstat (limited to 'includes')
-rw-r--r--includes/bootstrap.inc7
-rw-r--r--includes/common.inc2
-rw-r--r--includes/database.mysql.inc17
-rw-r--r--includes/database.pear.inc17
-rw-r--r--includes/database.pgsql.inc18
-rw-r--r--includes/locale.inc10
-rw-r--r--includes/tablesort.inc4
7 files changed, 45 insertions, 30 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 3712607d6..b1da3b337 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -346,13 +346,6 @@ function arg($index) {
}
/**
- * Prepare user input for use in a database query, preventing SQL injection attacks.
- */
-function check_query($text) {
- return addslashes($text);
-}
-
-/**
* Prepare user input for use in a URI.
*
* We replace ( and ) with their entity equivalents to prevent XSS attacks.
diff --git a/includes/common.inc b/includes/common.inc
index e53865ee4..dc72c88b9 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -228,7 +228,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) {
*/
function drupal_not_found() {
header('HTTP/1.0 404 Not Found');
- watchdog('httpd', t('404 error: %page not found.', array('%page' => '<em>'. check_query($_GET['q']) .'</em>')));
+ watchdog('httpd', t('404 error: %page not found.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')));
$path = drupal_get_normal_path(variable_get('site_404', ''));
$status = MENU_NOT_FOUND;
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index e3c46557d..dbae5254d 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -55,11 +55,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
@@ -79,11 +79,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
@@ -248,7 +248,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
- $args = array_map('check_query', $args);
+ $args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$query = call_user_func_array('sprintf', $args);
@@ -286,6 +286,13 @@ function db_decode_blob($data) {
}
/**
+ * Prepare user input for use in a database query, preventing SQL injection attacks.
+ */
+function db_escape_string($text) {
+ return addslashes($text);
+}
+
+/**
* @} End of "ingroup database".
*/
diff --git a/includes/database.pear.inc b/includes/database.pear.inc
index fc8da8f91..f06db36a4 100644
--- a/includes/database.pear.inc
+++ b/includes/database.pear.inc
@@ -45,11 +45,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
@@ -69,11 +69,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
@@ -252,7 +252,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
- $args = array_map('check_query', $args);
+ $args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$result = $active_db->limitQuery(call_user_func_array('sprintf', $args), $from, $count);
@@ -278,4 +278,11 @@ function db_query_range($query) {
}
}
+/**
+ * Prepare user input for use in a database query, preventing SQL injection attacks.
+ */
+function db_escape_string($text) {
+ return addslashes($text);
+}
+
?>
diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc
index 3829b0920..2d5399018 100644
--- a/includes/database.pgsql.inc
+++ b/includes/database.pgsql.inc
@@ -51,11 +51,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
@@ -75,11 +75,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
- $args1 = array_map('check_query', $args[1]);
+ $args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
- $nargs = array_map('check_query', $args);
+ $nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
@@ -242,7 +242,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
- $args = array_map('check_query', $args);
+ $args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$query = call_user_func_array('sprintf', $args);
@@ -280,6 +280,14 @@ function db_decode_blob($data) {
}
/**
+ * Prepare user input for use in a database query, preventing SQL injection attacks.
+ * Note: This function requires PostgreSQL 7.2 or later.
+ */
+function db_escape_string($text) {
+ return pg_escape_string($text);
+}
+
+/**
* @} End of "ingroup database".
*/
diff --git a/includes/locale.inc b/includes/locale.inc
index 8a79b3dc9..b68d38a13 100644
--- a/includes/locale.inc
+++ b/includes/locale.inc
@@ -1012,16 +1012,16 @@ function _locale_string_seek() {
// Compute LIKE section
switch ($query->searchin) {
case 'translated':
- $where = "WHERE (t.translation LIKE '%". check_query($query->string) ."%' AND t.translation != '')";
+ $where = "WHERE (t.translation LIKE '%". db_escape_string($query->string) ."%' AND t.translation != '')";
$orderby = "ORDER BY t.translation";
break;
case 'untranslated':
- $where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' AND t.translation = '')";
+ $where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' AND t.translation = '')";
$orderby = "ORDER BY s.source";
break;
case 'all' :
default:
- $where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' OR t.translation LIKE '%". check_query($query->string) ."%')";
+ $where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' OR t.translation LIKE '%". db_escape_string($query->string) ."%')";
$orderby = '';
break;
}
@@ -1029,7 +1029,7 @@ function _locale_string_seek() {
switch ($query->language) {
// Force search in source strings
case "en":
- $sql = $join ." WHERE s.source LIKE '%". check_query($query->string) ."%' ORDER BY s.source";
+ $sql = $join ." WHERE s.source LIKE '%". db_escape_string($query->string) ."%' ORDER BY s.source";
break;
// Search in all languages
case "all":
@@ -1037,7 +1037,7 @@ function _locale_string_seek() {
break;
// Some different language
default:
- $sql = "$join $where AND t.locale = '". check_query($query->language) ."' $orderby";
+ $sql = "$join $where AND t.locale = '". db_escape_string($query->language) ."' $orderby";
}
$result = pager_query($sql, 50);
diff --git a/includes/tablesort.inc b/includes/tablesort.inc
index 43edc5fc3..6be5a5540 100644
--- a/includes/tablesort.inc
+++ b/includes/tablesort.inc
@@ -51,8 +51,8 @@ function tablesort_pager() {
function tablesort_sql($header, $before = '') {
$ts = tablesort_init($header);
if ($ts['sql']) {
- $sql = check_query($ts['sql']);
- $sort = strtoupper(check_query($ts['sort']));
+ $sql = db_escape_string($ts['sql']);
+ $sort = strtoupper(db_escape_string($ts['sort']));
return " ORDER BY $before $sql $sort";
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 22:06:15 +0000