summaryrefslogtreecommitdiff
path: root/drivers
AgeCommit message (Collapse)AuthorFilesLines
2018-03-30Bump version to 5.20.11v5.20.11Damien Regad56-56/+56
2018-03-30Fix potential SQL injection in SelectLimit()Dave Paul13-12/+37
The `SelectLimit` function has a potential SQL injection vulnerability through the use of the `nrows` and `offset` parameters which are not forced to integers. This is a follow-up on #311, and fixes all remaining drivers that do not use ADOConnection::SelectLimit(). Fixes #401 Signed-off-by: Damien Regad <dregad@mantisbt.org> Original commits squashed, message reworded. Fixed whitespace.
2018-03-30Ensure SelectLimit $nrows and`$offset parameters are integersDamien Regad1-0/+2
The same is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`. This lowers the risk of SQL injection. Fixes #311 (cherry picked from commit 7d43989dc95fd00fcf3ba73e08fdaf56ffa4f3e5)
2018-03-30Replace $php_errormsg with error_get_last()Damien Regad6-70/+65
Reserved variable $php_errormsg is deprecated in PHP 7.2 http://php.net/manual/en/reserved.variables.phperrormsg.php Fixes #405
2018-03-30Replace create_function() by anonymous functionsDamien Regad2-2/+12
create_function() is deprecated in PHP 7.2 http://php.net/manual/en/function.create-function.php Fixes #404
2018-03-30One more occurence of each()Damien Regad1-2/+1
Fixes #373
2018-03-30Replace each() with foreach for PHP7.2 compatibilityMarina Glancy3-5/+5
Backported from d9cc6c66ec08e5a517f8fa4503345ead992e2a62. I meant to do this in 5.20.10 but I forgot... Fixes #373
2018-03-08Bump version to 5.20.10v5.20.10Damien Regad56-56/+56
2017-11-29sybase: fix PHP Warning in _connect()/_pconnectAlejandro Aguayo1-4/+4
Fixes #371 Signed-off-by: Damien Regad <dregad@mantisbt.org> Changes from original pull request: - suppress errors in _connect() also - commit message reworded
2017-11-26mysql: fix typo in _connect() error messageRyan P.C. McQuen1-1/+1
2017-11-26mysqli: suppress error on db connectRyan P.C. McQuen1-1/+1
This way if the connection fails, the error can be captured and used as intended. Without this, mysqli_real_connect() triggers a PHP warning. Fixes #348
2017-11-25mssql: string keys are not allowed in parameters arraysAndreas Thaden1-2/+0
Fixes #316
2017-11-25PDO sqlsrv fix auto-commit errormarcelto3-3/+32
Add SetAutoCommit() method for PDO drivers. Avoids PDO Error: The auto-commit mode cannot be changed for this driver Fixes #347
2016-12-21Bump version to 5.20.9v5.20.9Damien Regad56-56/+56
2016-12-17mssql: Fix syntax error in version matching regexDamien Regad1-1/+1
Regression introduced by 7c758c3cbb9ecc639f5744d991e8a6d5c35e5be4. Fixes #305
2016-12-17Bump version to 5.20.8v5.20.8Damien Regad56-56/+56
2016-12-17oci8po: fix SelectLimit() with prepared statementsDamien Regad2-26/+42
The ADOdb_oci8::SelectLimit() method performs Oracle-specific query optimization, manipulating the SQL to apply hints in a way that is not compatible with the oci8po driver, due to conversion of query parameters ('?' vs oci8 native ':xx'). To avoid the problem, we define the SelectLimit() method directly in ADODB_oci8po, and rely on the slower ADOConnection::SelectLimit() method from the base class. Also, to avoid issues with prepared statements causing PHP to throw a Warning: "oci_execute(): supplied resource is not a valid oci8 statement resource", we retrieve the prepared statement's SQL and pass it on to ADOConnection::SelectLimit(). Fixes #282
2016-12-17mssql: Method errorno returned -1 on success instead of 0Mark Newnham1-2/+1
The method incorrectly returned -1 for success instead of 0. In addition, the method attempted to distinguish between warnings and errors produced by the SQL Server parameter "WarningsReturnAsErrors" when logging was enabled, but in ADOdb logging this parameter is always set false so the code was removed. Fixes #298
2016-12-17mssql: default sequence name consistencyDamien Regad1-1/+1
Use 'adodbseq' everywhere
2016-12-17mssql: fix parameter forwarding in GenID methodsLaurent Navarro1-5/+5
Incorrect forwarding of parameter values from GenID() to GenID2008/2012 forced the sequence name to the default of 'adodbseq'. Fixes #300
2016-12-17mssql: GenId2008() not returning next value in sequenceLaurent Navarro1-1/+1
Fixes #302
2016-12-17mssql: fix typo in class variable nameDamien Regad1-1/+1
2016-12-01mssql: Workaround to fix query not returning idDamien Regad1-1/+1
This modified regex allows matching of empty strings and is much more efficient than the original one. A better fix for this will be available in v5.21 Fixes #185
2016-11-20mssql: allow GenID2012() to use any sequence nameDamien Regad1-1/+1
Removes the extra assignment of $seq when calling CreateSequence2012() (possibly leftover from a copy/paste ?) which was causing the code to always use the default 'adodbseq' sequence. Fixes #295
2016-11-20mssql: add support for versions 2016 and laterDamien Regad1-5/+3
Removes the unnecessary upper bound on the server version check. Fixes #294
2016-11-20mssql: optimize server version detectionDamien Regad1-22/+13
The code in ServerVersion() method now only calls preg_match() once.
2016-11-20Driver now correctly recognizes SQL Server 2014 databases when creating ↵Mark Newnham1-0/+8
sequences Backported from master (b28cafea05d0c88018dd0c980ba024de1e54192f).
2016-11-20mssql: add missing cachedSchemaFlush propertyDamien Regad1-0/+1
The property is referenced in MetaColumns(), and calling this method causes an 'Undefined property' PHP Notice to be thrown. Fixes #289
2016-11-19oci8po: fix inconsistent variable binding in SelectLimit()Pat Bateman1-3/+9
Allow indexed or associative array for bindvars. Fixes #288 Signed-off-by: Damien Regad <dregad@mantisbt.org>
2016-09-20Bump version to 5.20.7v5.20.7Damien Regad56-56/+56
2016-09-20Update changelogDamien Regad56-56/+56
2016-09-14oci8po: prevent segfault on php7Damyon Wiese1-4/+9
The OCIFetchinto function is causing segfaults on php7 - probably because the fields array is not initialised or it is optimised out. This fixes just changes to use the safer function oci_fetch_array instead. Fixes #259 Signed-off-by: Damien Regad <dregad@mantisbt.org>
2016-09-06PDO: fix incorrect quoting allowing SQL injectionDamien Regad1-0/+24
The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. Fixes #226
2016-09-06PDO/mysql: fix MetaTables broken SQLDamien Regad1-1/+1
When a schema is specified in $showSchema, the function generates an invalid where clause: WHERE TABLE_SCHEMA= from myschema ^ should be 'myschema' Fixes #275
2016-09-06PDO MySQL fix for MetaTablesAndy Theuninck1-0/+2
The generated query is broken with the default method arguments. Fixes #275 Signed-off-by: Damien Regad <dregad@mantisbt.org> Original commit changed to use single quotes, added issue reference.
2016-08-31Bump version to 5.20.6v5.20.6Damien Regad56-56/+56
2016-08-10Bump version to 5.20.5v5.20.5Damien Regad56-56/+56
2016-05-25mysqli: fix #240 PHP notice in _close() methodRamūnas Bunokas1-1/+1
2016-05-25PDO: let driver handle SelectDB() and SQLDate() callsAndy Theuninck1-0/+11
Calls to ADODB_pdo::SelectDB() and ADODB_pdo::SQLDate() should be passed through to the underlying $_driver object. If the $database property of the underlying $_driver object isn't initialized correctly, the 1st call to MetaColumns using "schemaName.tableName" as an argument may alter the connection's currently selected database. Fixes #242, related to #40. Signed-off-by: Damien Regad <dregad@mantisbt.org>
2016-05-25Use SQL server native data types if available, see #234Mark Newnham1-4/+14
If the database is Microsoft SQL Server, use the sqlsrv native data types (sqlsrv:decl_type) instead of the PDO native type for improved field type recognition. This fix has been migrated to the pdo_sqlsrv driver in v5.21 (see #245, #247, #245, #250)
2016-05-25Destructor fails if recordset already closedMark Newnham1-1/+1
If the recordset has already been closed, the destructor occasionally fails because the queryId has sometimes been set to -1, not false. See #170, #180
2016-03-31Fix PHP warning in ADORecordset_mysqli::__close()v5.20.4Damien Regad1-1/+1
A warning is triggered when getInsertSql() is passed a string for the tablename: mysqli_free_result() expects parameter 1 to be mysqli_result, integer given Fixes #217
2016-03-30Bump version to 5.20.4Damien Regad56-56/+56
2016-03-30mysqli: cast port number to int when connectingDamien Regad1-1/+2
In PHP7, mysqli_real_connect() expects the port number to be an int; PHP throws a warning if we give it a string, which is usually the case since the port is parsed from a 'hostname:port'. Fixes #218
2016-01-01Bump version to 5.20.3v5.20.3Damien Regad56-56/+56
2016-01-01mssql: fix error when closing RS from destructorDamien Regad2-3/+5
Fixes #180 (this is the correct fix for issue #170).
2015-12-27Bump version to 5.20.2v5.20.2Damien Regad56-56/+56
2015-12-20mssql: avoid error when closing RS from destructorDamien Regad2-4/+9
Fix #170
2015-12-20informix: avoid error when closing RS from destructorDamien Regad1-2/+8
Fixing this is somewhat academic considering that informix driver is no longer supported since PHP 5.2.1 Fixes #170
2015-12-20mysqli: Remove use of '@' operator in RS::_close()Damien Regad1-3/+7
Avoids PHP notice when closing recordset Fixes #170