From fa97839088dd0de1df73a990255edce7eddf90d9 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Sun, 21 Nov 2004 08:25:17 +0000 Subject: - Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend. Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data." --- includes/bootstrap.inc | 7 ------- includes/common.inc | 2 +- includes/database.mysql.inc | 17 ++++++++++++----- includes/database.pear.inc | 17 ++++++++++++----- includes/database.pgsql.inc | 18 +++++++++++++----- includes/locale.inc | 10 +++++----- includes/tablesort.inc | 4 ++-- 7 files changed, 45 insertions(+), 30 deletions(-) (limited to 'includes') diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 3712607d6..b1da3b337 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -345,13 +345,6 @@ function arg($index) { } } -/** - * Prepare user input for use in a database query, preventing SQL injection attacks. - */ -function check_query($text) { - return addslashes($text); -} - /** * Prepare user input for use in a URI. * diff --git a/includes/common.inc b/includes/common.inc index e53865ee4..dc72c88b9 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -228,7 +228,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) { */ function drupal_not_found() { header('HTTP/1.0 404 Not Found'); - watchdog('httpd', t('404 error: %page not found.', array('%page' => ''. check_query($_GET['q']) .''))); + watchdog('httpd', t('404 error: %page not found.', array('%page' => ''. db_escape_string($_GET['q']) .''))); $path = drupal_get_normal_path(variable_get('site_404', '')); $status = MENU_NOT_FOUND; diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index e3c46557d..dbae5254d 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -55,11 +55,11 @@ function db_query($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs)); @@ -79,11 +79,11 @@ function db_queryd($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs), 1); @@ -248,7 +248,7 @@ function db_query_range($query) { $count = array_pop($args); $from = array_pop($args); if (count(func_get_args()) > 3) { - $args = array_map('check_query', $args); + $args = array_map('db_escape_string', $args); $query = db_prefix_tables($query); $args[0] = $query; $query = call_user_func_array('sprintf', $args); @@ -285,6 +285,13 @@ function db_decode_blob($data) { return $data; } +/** + * Prepare user input for use in a database query, preventing SQL injection attacks. + */ +function db_escape_string($text) { + return addslashes($text); +} + /** * @} End of "ingroup database". */ diff --git a/includes/database.pear.inc b/includes/database.pear.inc index fc8da8f91..f06db36a4 100644 --- a/includes/database.pear.inc +++ b/includes/database.pear.inc @@ -45,11 +45,11 @@ function db_query($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs)); @@ -69,11 +69,11 @@ function db_queryd($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs), 1); @@ -252,7 +252,7 @@ function db_query_range($query) { $count = array_pop($args); $from = array_pop($args); if (count(func_get_args()) > 3) { - $args = array_map('check_query', $args); + $args = array_map('db_escape_string', $args); $query = db_prefix_tables($query); $args[0] = $query; $result = $active_db->limitQuery(call_user_func_array('sprintf', $args), $from, $count); @@ -278,4 +278,11 @@ function db_query_range($query) { } } +/** + * Prepare user input for use in a database query, preventing SQL injection attacks. + */ +function db_escape_string($text) { + return addslashes($text); +} + ?> diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 3829b0920..2d5399018 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -51,11 +51,11 @@ function db_query($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs)); @@ -75,11 +75,11 @@ function db_queryd($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs), 1); @@ -242,7 +242,7 @@ function db_query_range($query) { $count = array_pop($args); $from = array_pop($args); if (count(func_get_args()) > 3) { - $args = array_map('check_query', $args); + $args = array_map('db_escape_string', $args); $query = db_prefix_tables($query); $args[0] = $query; $query = call_user_func_array('sprintf', $args); @@ -279,6 +279,14 @@ function db_decode_blob($data) { return stripcslashes($data); } +/** + * Prepare user input for use in a database query, preventing SQL injection attacks. + * Note: This function requires PostgreSQL 7.2 or later. + */ +function db_escape_string($text) { + return pg_escape_string($text); +} + /** * @} End of "ingroup database". */ diff --git a/includes/locale.inc b/includes/locale.inc index 8a79b3dc9..b68d38a13 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -1012,16 +1012,16 @@ function _locale_string_seek() { // Compute LIKE section switch ($query->searchin) { case 'translated': - $where = "WHERE (t.translation LIKE '%". check_query($query->string) ."%' AND t.translation != '')"; + $where = "WHERE (t.translation LIKE '%". db_escape_string($query->string) ."%' AND t.translation != '')"; $orderby = "ORDER BY t.translation"; break; case 'untranslated': - $where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' AND t.translation = '')"; + $where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' AND t.translation = '')"; $orderby = "ORDER BY s.source"; break; case 'all' : default: - $where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' OR t.translation LIKE '%". check_query($query->string) ."%')"; + $where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' OR t.translation LIKE '%". db_escape_string($query->string) ."%')"; $orderby = ''; break; } @@ -1029,7 +1029,7 @@ function _locale_string_seek() { switch ($query->language) { // Force search in source strings case "en": - $sql = $join ." WHERE s.source LIKE '%". check_query($query->string) ."%' ORDER BY s.source"; + $sql = $join ." WHERE s.source LIKE '%". db_escape_string($query->string) ."%' ORDER BY s.source"; break; // Search in all languages case "all": @@ -1037,7 +1037,7 @@ function _locale_string_seek() { break; // Some different language default: - $sql = "$join $where AND t.locale = '". check_query($query->language) ."' $orderby"; + $sql = "$join $where AND t.locale = '". db_escape_string($query->language) ."' $orderby"; } $result = pager_query($sql, 50); diff --git a/includes/tablesort.inc b/includes/tablesort.inc index 43edc5fc3..6be5a5540 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -51,8 +51,8 @@ function tablesort_pager() { function tablesort_sql($header, $before = '') { $ts = tablesort_init($header); if ($ts['sql']) { - $sql = check_query($ts['sql']); - $sort = strtoupper(check_query($ts['sort'])); + $sql = db_escape_string($ts['sql']); + $sort = strtoupper(db_escape_string($ts['sort'])); return " ORDER BY $before $sql $sort"; } } -- cgit v1.2.3