From 3cf4c8fabf1bc61f1b4c5b81705615c34f5ef577 Mon Sep 17 00:00:00 2001 From: stronk7 Date: Mon, 22 Jun 2009 17:30:15 +0000 Subject: [PATCH] MDL-19452 Fix oracle/mssql drivers behaviour when using magic_quotes_sybase leading to wrongly escaped contents. Many thanks to Sam Moffatt! Merged from 19_STABLE --- lib/adodb/adodb.inc.php | 8 +++-- lib/adodb/drivers/adodb-mssql.inc.php | 42 ++++++++++++++++++++++++++- lib/adodb/drivers/adodb-oci8.inc.php | 19 +++++++----- lib/adodb/readme_moodle.txt | 5 ++++ 4 files changed, 64 insertions(+), 10 deletions(-) diff --git a/lib/adodb/adodb.inc.php b/lib/adodb/adodb.inc.php index 9a619ffb5b..06289a5495 100644 --- a/lib/adodb/adodb.inc.php +++ b/lib/adodb/adodb.inc.php @@ -2604,7 +2604,9 @@ http://www.stanford.edu/dept/itss/docs/oracle/10g/server.101/b10759/statements_1 // undo magic quotes for " $s = str_replace('\\"','"',$s); - if ($this->replaceQuote == "\\'") // ' already quoted, no need to change anything + // moodle change start - see readme_moodle.txt + if ($this->replaceQuote == "\\'" || ini_get('magic_quotes_sybase')) // ' already quoted, no need to change anything + // moodle change end - see readme_moodle.txt return $s; else {// change \' to '' for sybase/mssql $s = str_replace('\\\\','\\',$s); @@ -2638,7 +2640,9 @@ http://www.stanford.edu/dept/itss/docs/oracle/10g/server.101/b10759/statements_1 // undo magic quotes for " $s = str_replace('\\"','"',$s); - if ($this->replaceQuote == "\\'") // ' already quoted, no need to change anything + // moodle change start - see readme_moodle.txt + if ($this->replaceQuote == "\\'" || ini_get('magic_quotes_sybase')) // ' already quoted, no need to change anything + // moodle change end - see readme_moodle.txt return "'$s'"; else {// change \' to '' for sybase/mssql $s = str_replace('\\\\','\\',$s); diff --git a/lib/adodb/drivers/adodb-mssql.inc.php b/lib/adodb/drivers/adodb-mssql.inc.php index 65a1c20eb6..7cf51201df 100644 --- a/lib/adodb/drivers/adodb-mssql.inc.php +++ b/lib/adodb/drivers/adodb-mssql.inc.php @@ -738,6 +738,46 @@ order by constraint_name, referenced_table_name, keyno"; } return $rez; } + +// moodle change start - see readme_moodle.txt + /** + * Correctly quotes a string so that all strings are escaped. We prefix and append + * to the string single-quotes. + * An example is $db->qstr("Don't bother",magic_quotes_runtime()); + * + * @param s the string to quote + * @param [magic_quotes] if $s is GET/POST var, set to get_magic_quotes_gpc(). + * This undoes the stupidity of magic quotes for GPC. + * + * @return quoted string to be sent back to database + */ + function qstr($s,$magic_quotes=false) + { + if (!$magic_quotes) { + + if ($this->replaceQuote[0] == '\\'){ + // only since php 4.0.5 + $s = adodb_str_replace(array('\\',"\0"),array('\\\\',"\\\0"),$s); + //$s = str_replace("\0","\\\0", str_replace('\\','\\\\',$s)); + } + return "'".str_replace("'",$this->replaceQuote,$s)."'"; + } + + // undo magic quotes for " unless sybase is on + $sybase = ini_get('magic_quotes_sybase'); + if (!$sybase) { + $s = str_replace('\\"','"',$s); + if ($this->replaceQuote == "\\'") // ' already quoted, no need to change anything + return "'$s'"; + else {// change \' to '' for sybase/mssql + $s = str_replace('\\\\','\\',$s); + return "'".str_replace("\\'",$this->replaceQuote,$s)."'"; + } + } else { + return "'".$s."'"; + } + } +// moodle change end - see readme_moodle.txt // returns true or false function _close() @@ -1061,4 +1101,4 @@ order by constraint_name, ordinal_position http://www.databasejournal.com/scripts/article.php/1440551 */ -?> \ No newline at end of file +?> diff --git a/lib/adodb/drivers/adodb-oci8.inc.php b/lib/adodb/drivers/adodb-oci8.inc.php index da7bbb6865..45dff8d105 100644 --- a/lib/adodb/drivers/adodb-oci8.inc.php +++ b/lib/adodb/drivers/adodb-oci8.inc.php @@ -1282,13 +1282,18 @@ SELECT /*+ RULE */ distinct b.column_name } return "'".str_replace("'",$this->replaceQuote,$s)."'"; } - - // undo magic quotes for " - $s = str_replace('\\"','"',$s); - - $s = str_replace('\\\\','\\',$s); - return "'".str_replace("\\'",$this->replaceQuote,$s)."'"; - +// moodle change start - see readme_moodle.txt + + // undo magic quotes for " unless sybase is on + $sybase = ini_get('magic_quotes_sybase'); + if (!$sybase) { + $s = str_replace('\\"','"',$s); + $s = str_replace('\\\\','\\',$s); + return "'".str_replace("\\'",$this->replaceQuote,$s)."'"; + } else { + return "'".$s."'"; + } +// moodle change end - see readme_moodle.txt } } diff --git a/lib/adodb/readme_moodle.txt b/lib/adodb/readme_moodle.txt index 2c84c58531..c4a38e7fe2 100644 --- a/lib/adodb/readme_moodle.txt +++ b/lib/adodb/readme_moodle.txt @@ -18,6 +18,11 @@ Our changes: /// Look for "moodle" in adodb code * adodb-lib.inc.php - modify some debug output to be correct XHTML. MDL-12378. Reported to ADOdb at: http://phplens.com/lens/lensforum/msgs.php?id=17133 Once fixed by adodb guys, we'll return to their official distro. + * drivers/adodb-mssql.inc.php, drivers/adodb-oci8.inc.php (qstr) and + adodb.inc.php (addq and qstr) - fixed wrong "undo magic quotes" that was + ignoring "magic_quotes_sybase" and leading to wrongly escaped contents. MDL-19452 + Reported privately to John Lim, will be added to upstream soon. Once fixed + we'll return to their official distro. skodak, iarenaza, moodler, stronk7 -- 2.39.5