diff options
| author | Damien Regad <dregad@mantisbt.org> | 2021-01-25 01:52:20 +0100 |
|---|---|---|
| committer | Damien Regad <dregad@mantisbt.org> | 2021-01-25 02:12:07 +0100 |
| commit | faf71c5f3ef8823328f4f98e4562744ff04632ee (patch) | |
| tree | 196cbc66e6c51d064cf3e36f18550d69bc4a7927 /drivers | |
| parent | 82e26bb5db3649641117749374a219201b86cbd9 (diff) | |
| download | adodb-faf71c5f3ef8823328f4f98e4562744ff04632ee.tar.gz adodb-faf71c5f3ef8823328f4f98e4562744ff04632ee.tar.bz2 adodb-faf71c5f3ef8823328f4f98e4562744ff04632ee.zip | |
Remove all magic quotes related code
The $magic_quote parameter for public methods was kept for backwards
compatibility purposes, but is no longer used.
Fixes #674
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/adodb-ado_mssql.inc.php | 4 | ||||
| -rw-r--r-- | drivers/adodb-mssql.inc.php | 43 | ||||
| -rw-r--r-- | drivers/adodb-mysql.inc.php | 37 | ||||
| -rw-r--r-- | drivers/adodb-mysqli.inc.php | 39 | ||||
| -rw-r--r-- | drivers/adodb-oci8.inc.php | 38 | ||||
| -rw-r--r-- | drivers/adodb-pdo.inc.php | 26 | ||||
| -rw-r--r-- | drivers/adodb-postgres64.inc.php | 35 |
7 files changed, 101 insertions, 121 deletions
diff --git a/drivers/adodb-ado_mssql.inc.php b/drivers/adodb-ado_mssql.inc.php index 54779599..3a3fc3a9 100644 --- a/drivers/adodb-ado_mssql.inc.php +++ b/drivers/adodb-ado_mssql.inc.php @@ -61,9 +61,9 @@ class ADODB_ado_mssql extends ADODB_ado { $this->Execute("SET TRANSACTION ".$transaction_mode); } - function qstr($s,$magic_quotes=false) + function qStr($s, $magic_quotes=false) { - $s = ADOConnection::qstr($s, $magic_quotes); + $s = ADOConnection::qStr($s); return str_replace("\0", "\\\\000", $s); } diff --git a/drivers/adodb-mssql.inc.php b/drivers/adodb-mssql.inc.php index 797bb48f..6d8d827c 100644 --- a/drivers/adodb-mssql.inc.php +++ b/drivers/adodb-mssql.inc.php @@ -127,37 +127,22 @@ class ADODB_mssql extends ADOConnection { /** - * Correctly quotes a string so that all strings are escaped. We prefix and append - * to the string single-quotes. - * An example is $db->qstr("Don't bother",magic_quotes_runtime()); - * - * @param s the string to quote - * @param [magic_quotes] if $s is GET/POST var, set to get_magic_quotes_gpc(). - * This undoes the stupidity of magic quotes for GPC. - * - * @return quoted string to be sent back to database - */ - function qstr($s,$magic_quotes=false) + * Correctly quotes a string so that all strings are escaped. + * We prefix and append to the string single-quotes. + * An example is $db->qstr("Don't bother"); + * + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. + * + * @return string Quoted string to be sent back to database + * + * @noinspection PhpUnusedParameterInspection + */ + function qStr($s, $magic_quotes=false) { - if (!$magic_quotes) { - return "'".str_replace("'",$this->replaceQuote,$s)."'"; - } - - // undo magic quotes for " unless sybase is on - $sybase = ini_get('magic_quotes_sybase'); - if (!$sybase) { - $s = str_replace('\\"','"',$s); - if ($this->replaceQuote == "\\'") // ' already quoted, no need to change anything - return "'$s'"; - else {// change \' to '' for sybase/mssql - $s = str_replace('\\\\','\\',$s); - return "'".str_replace("\\'",$this->replaceQuote,$s)."'"; - } - } else { - return "'".$s."'"; - } + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; } -// moodle change end - see readme_moodle.txt function _affectedrows() { diff --git a/drivers/adodb-mysql.inc.php b/drivers/adodb-mysql.inc.php index b60f1c62..403fe183 100644 --- a/drivers/adodb-mysql.inc.php +++ b/drivers/adodb-mysql.inc.php @@ -245,25 +245,32 @@ class ADODB_mysql extends ADOConnection { } - // if magic quotes disabled, use mysql_real_escape_string() - function qstr($s, $magic_quotes=false) + /** + * Appropriately quotes strings with ' characters for insertion into the database. + * + * Relies on mysql_real_escape_string() + * @link https://adodb.org/dokuwiki/doku.php?id=v5:reference:connection:qstr + * + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. + * + * @return string Quoted string + */ + function qStr($s, $magic_quotes=false) { - if (is_null($s)) return 'NULL'; - if (!$magic_quotes) { - - if (is_resource($this->_connectionID)) { - return "'" . mysql_real_escape_string($s, $this->_connectionID) . "'"; - } + if (is_null($s)) { + return 'NULL'; + } - if ($this->replaceQuote[0] == '\\'){ - $s = str_replace(array('\\',"\0"), array('\\\\',"\\\0"), $s); - } - return "'".str_replace("'", $this->replaceQuote, $s)."'"; + if (is_resource($this->_connectionID)) { + return "'" . mysql_real_escape_string($s, $this->_connectionID) . "'"; } - // undo magic quotes for " - $s = str_replace('\\"','"',$s); - return "'$s'"; + if ($this->replaceQuote[0] == '\\') { + $s = str_replace(array('\\', "\0"), array('\\\\', "\\\0"), $s); + } + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; } function _insertid() diff --git a/drivers/adodb-mysqli.inc.php b/drivers/adodb-mysqli.inc.php index 2c01deac..8a4d92b7 100644 --- a/drivers/adodb-mysqli.inc.php +++ b/drivers/adodb-mysqli.inc.php @@ -347,36 +347,31 @@ class ADODB_mysqli extends ADOConnection { /** * Appropriately quotes strings with ' characters for insertion into the database. * + * Relies on mysqli_real_escape_string() * @link https://adodb.org/dokuwiki/doku.php?id=v5:reference:connection:qstr * - * @param string $s The string to quote - * @param boolean $magic_quotes If false, use mysqli_real_escape_string() - * if you are quoting a string extracted from a POST/GET variable, - * then pass get_magic_quotes_gpc() as the second parameter. This will - * ensure that the variable is not quoted twice, once by qstr() and - * once by the magic_quotes_gpc. - * Eg. $s = $db->qstr(_GET['name'],get_magic_quotes_gpc()); + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. * * @return string Quoted string */ - function qstr($s, $magic_quotes = false) + function qStr($s, $magic_quotes=false) { - if (is_null($s)) return 'NULL'; - if (!$magic_quotes) { - // mysqli_real_escape_string() throws a warning when the given - // connection is invalid - if ($this->_connectionID) { - return "'" . mysqli_real_escape_string($this->_connectionID, $s) . "'"; - } + if (is_null($s)) { + return 'NULL'; + } - if ($this->replaceQuote[0] == '\\') { - $s = str_replace(array('\\',"\0"), array('\\\\',"\\\0") ,$s); - } - return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; + // mysqli_real_escape_string() throws a warning when the given + // connection is invalid + if ($this->_connectionID) { + return "'" . mysqli_real_escape_string($this->_connectionID, $s) . "'"; + } + + if ($this->replaceQuote[0] == '\\') { + $s = str_replace(array('\\', "\0"), array('\\\\', "\\\0") ,$s); } - // undo magic quotes for " - $s = str_replace('\\"','"',$s); - return "'$s'"; + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; } /** diff --git a/drivers/adodb-oci8.inc.php b/drivers/adodb-oci8.inc.php index b095947b..7c5b8e6b 100644 --- a/drivers/adodb-oci8.inc.php +++ b/drivers/adodb-oci8.inc.php @@ -1540,37 +1540,27 @@ SELECT /*+ RULE */ distinct b.column_name } /** - * Quotes a string. - * An example is $db->qstr("Don't bother",magic_quotes_runtime()); + * Correctly quotes a string so that all strings are escaped. + * We prefix and append to the string single-quotes. + * An example is $db->qstr("Don't bother"); * - * @param string $s the string to quote - * @param bool $magic_quotes if $s is GET/POST var, set to get_magic_quotes_gpc(). - * This undoes the stupidity of magic quotes for GPC. + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. * - * @return string quoted string to be sent back to database + * @return string Quoted string to be sent back to database + * + * @noinspection PhpUnusedParameterInspection */ - function qstr($s,$magic_quotes=false) + function qStr($s, $magic_quotes=false) { - //$nofixquotes=false; - - if ($this->noNullStrings && strlen($s)==0) { + if ($this->noNullStrings && strlen($s) == 0) { $s = ' '; } - if (!$magic_quotes) { - if ($this->replaceQuote[0] == '\\'){ - $s = str_replace('\\','\\\\',$s); - } - return "'".str_replace("'",$this->replaceQuote,$s)."'"; - } - - // undo magic quotes for " unless sybase is on - if (!ini_get('magic_quotes_sybase')) { - $s = str_replace('\\"','"',$s); - $s = str_replace('\\\\','\\',$s); - return "'".str_replace("\\'",$this->replaceQuote,$s)."'"; - } else { - return "'".$s."'"; + if ($this->replaceQuote[0] == '\\'){ + $s = str_replace('\\','\\\\',$s); } + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; } } diff --git a/drivers/adodb-pdo.inc.php b/drivers/adodb-pdo.inc.php index 4dab4884..6ceddb14 100644 --- a/drivers/adodb-pdo.inc.php +++ b/drivers/adodb-pdo.inc.php @@ -618,25 +618,23 @@ class ADODB_pdo extends ADOConnection { /** * Quotes a string to be sent to the database. + * * If we have an active connection, delegates quoting to the underlying - * PDO object. Otherwise, replace "'" by the value of $replaceQuote (same - * behavior as mysqli driver) - * @param string $s The string to quote - * @param boolean $magic_quotes If false, use PDO::quote(). + * PDO object PDO::quote(). Otherwise, replace "'" by the value of + * $replaceQuote (same behavior as mysqli driver). + * + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. + * * @return string Quoted string */ - function qstr($s, $magic_quotes = false) + function qStr($s, $magic_quotes = false) { - if (!$magic_quotes) { - if ($this->_connectionID) { - return $this->_connectionID->quote($s); - } - return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; + if ($this->_connectionID) { + return $this->_connectionID->quote($s); } - - // undo magic quotes for " - $s = str_replace('\\"', '"', $s); - return "'$s'"; + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; } } diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php index 428b9501..3f94806c 100644 --- a/drivers/adodb-postgres64.inc.php +++ b/drivers/adodb-postgres64.inc.php @@ -264,27 +264,32 @@ class ADODB_postgres64 extends ADOConnection{ } - // if magic quotes disabled, use pg_escape_string() - function qstr($s,$magic_quotes=false) + /** + * Quotes a string to be sent to the database. + * + * Relies on pg_escape_string() + * @link https://adodb.org/dokuwiki/doku.php?id=v5:reference:connection:qstr + * + * @param string $s The string to quote + * @param bool $magic_quotes This param is not used since 5.21.0. + * It remains for backwards compatibility. + * + * @return string Quoted string + */ + function qStr($s, $magic_quotes=false) { - if (is_bool($s)) return $s ? 'true' : 'false'; - - if (!$magic_quotes) { - if ($this->_connectionID) { - return "'" . pg_escape_string($this->_connectionID, $s) . "'"; - } - else { - return "'" . pg_escape_string($s) . "'"; - } + if (is_bool($s)) { + return $s ? 'true' : 'false'; } - // undo magic quotes for " - $s = str_replace('\\"','"',$s); - return "'$s'"; + if ($this->_connectionID) { + return "'" . pg_escape_string($this->_connectionID, $s) . "'"; + } else { + return "'" . pg_escape_string($s) . "'"; + } } - // Format date column in sql string given an input format that understands Y M D function SQLDate($fmt, $col=false) { |