- Patch #811776 by Heine: regresssion of SA-2006-005 - SQL Injection via db_query_range().

author: Dries Buytaert <dries@buytaert.net> 2010-06-01 09:24:09 +0000
committer: Dries Buytaert <dries@buytaert.net> 2010-06-01 09:24:09 +0000
commit: d297ac7464fd8a307910052d7e391ae6588f9451 (patch)
tree: 632707373dcd1f6f598348036985a94d207d6d4d /includes/database
parent: cf822bd236e119b62ea31159588f0d03d2aa79bf (diff)
download: brdo-d297ac7464fd8a307910052d7e391ae6588f9451.tar.gz
brdo-d297ac7464fd8a307910052d7e391ae6588f9451.tar.bz2
4 files changed, 4 insertions, 4 deletions
diff --git a/includes/database/mysql/database.inc b/includes/database/mysql/database.inc
index 77779f992..4e03539e5 100644
--- a/includes/database/mysql/database.inc
+++ b/includes/database/mysql/database.inc
@@ -59,7 +59,7 @@ class DatabaseConnection_mysql extends DatabaseConnection {
   }
 
   public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
-    return $this->query($query . ' LIMIT ' . $from . ', ' . $count, $args, $options);
+    return $this->query($query . ' LIMIT ' . (int) $from . ', ' . (int) $count, $args, $options);
   }
 
   public function queryTemporary($query, array $args = array(), array $options = array()) {
diff --git a/includes/database/pgsql/database.inc b/includes/database/pgsql/database.inc
index 35179e855..2aff55b87 100644
--- a/includes/database/pgsql/database.inc
+++ b/includes/database/pgsql/database.inc
@@ -106,7 +106,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
   }
 
   public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
-    return $this->query($query . ' LIMIT ' . $count . ' OFFSET ' . $from, $args, $options);
+    return $this->query($query . ' LIMIT ' . (int) $count . ' OFFSET ' . (int) $from, $args, $options);
   }
 
   public function queryTemporary($query, array $args = array(), array $options = array()) {
diff --git a/includes/database/select.inc b/includes/database/select.inc
index 5cb4c04f4..34defb56c 100644
--- a/includes/database/select.inc
+++ b/includes/database/select.inc
@@ -1407,7 +1407,7 @@ class SelectQuery extends Query implements SelectQueryInterface {
     // Databases that need a different syntax can override this method and
     // do whatever alternate logic they need to.
     if (!empty($this->range)) {
-      $query .= "\nLIMIT " . $this->range['length'] . " OFFSET " . $this->range['start'];
+      $query .= "\nLIMIT " . (int) $this->range['length'] . " OFFSET " . (int) $this->range['start'];
     }
 
     // UNION is a little odd, as the select queries to combine are passed into
diff --git a/includes/database/sqlite/database.inc b/includes/database/sqlite/database.inc
index 98ffe32d6..5dc8cff38 100644
--- a/includes/database/sqlite/database.inc
+++ b/includes/database/sqlite/database.inc
@@ -159,7 +159,7 @@ class DatabaseConnection_sqlite extends DatabaseConnection {
   }
 
   public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
-    return $this->query($query . ' LIMIT ' . $from . ', ' . $count, $args, $options);
+    return $this->query($query . ' LIMIT ' . (int) $from . ', ' . (int) $count, $args, $options);
   }
 
   public function queryTemporary($query, array $args = array(), array $options = array()) {
author	Dries Buytaert <dries@buytaert.net>	2010-06-01 09:24:09 +0000
committer	Dries Buytaert <dries@buytaert.net>	2010-06-01 09:24:09 +0000
commit	d297ac7464fd8a307910052d7e391ae6588f9451 (patch)
tree	632707373dcd1f6f598348036985a94d207d6d4d /includes/database
parent	cf822bd236e119b62ea31159588f0d03d2aa79bf (diff)
download	brdo-d297ac7464fd8a307910052d7e391ae6588f9451.tar.gz brdo-d297ac7464fd8a307910052d7e391ae6588f9451.tar.bz2