summaryrefslogtreecommitdiff
path: root/drivers
AgeCommit message (Collapse)AuthorFilesLines
2018-03-30Fix potential SQL injection in SelectLimit()Dave Paul13-12/+37
The `SelectLimit` function has a potential SQL injection vulnerability through the use of the `nrows` and `offset` parameters which are not forced to integers. This is a follow-up on #311, and fixes all remaining drivers that do not use ADOConnection::SelectLimit(). Fixes #401 Signed-off-by: Damien Regad <dregad@mantisbt.org> Original commits squashed, message reworded. Fixed whitespace.
2018-03-30Ensure SelectLimit $nrows and`$offset parameters are integersDamien Regad1-0/+2
The same is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`. This lowers the risk of SQL injection. Fixes #311 (cherry picked from commit 7d43989dc95fd00fcf3ba73e08fdaf56ffa4f3e5)
2018-03-30Remove statics from fetchFieldDavid M. Lee1-16/+0
In the pdo_sqlsrv driver, static locals were used to cache field names. Unfortunately, this means that if the results for multiple queries were mapped, the field names for the first query were used instead of updated field names for the subsequent queries.
2018-03-30Replace $php_errormsg with error_get_last()Damien Regad6-70/+65
Reserved variable $php_errormsg is deprecated in PHP 7.2 http://php.net/manual/en/reserved.variables.phperrormsg.php Fixes #405
2018-03-30Replace create_function() by anonymous functionsDamien Regad2-2/+12
create_function() is deprecated in PHP 7.2 http://php.net/manual/en/function.create-function.php Fixes #404
2018-03-30One more occurence of each()Damien Regad1-2/+1
Fixes #373
2018-03-30Replace each() with foreach for PHP7.2 compatibilityMarina Glancy3-5/+5
Backported from d9cc6c66ec08e5a517f8fa4503345ead992e2a62. I meant to do this in 5.20.10 but I forgot... Fixes #373
2018-03-09mysql: die if extension is not availableDamien Regad1-2/+11
2018-03-09mysql: die if PHP >= 7.0, warning if >= 5.5Damien Regad1-0/+15
2018-03-08Bump version to 5.20.10v5.20.10Damien Regad56-56/+56
2018-01-30Merge branch 'hotfix/5.20.10'Damien Regad1-4/+4
2017-12-04Fix typo in property nameDamien Regad1-1/+1
Regression from f12543aef8f772b8e2e07e84fb3fd0767a67fb17 (#334) Fixes #382
2017-11-29sybase: fix PHP Warning in _connect()/_pconnectAlejandro Aguayo1-4/+4
Fixes #371 Signed-off-by: Damien Regad <dregad@mantisbt.org> Changes from original pull request: - suppress errors in _connect() also - commit message reworded
2017-11-27Fix more ADORecordSet::__construct inconsistenciesDamien Regad4-4/+4
Fixes #278
2017-11-27ADORecordSet constructor takes only one parametermezaof1-1/+1
Follow-up on 811f491830adc0b0a510a2ad30affe159f68e5d8. Fixes #278
2017-11-26pgsql: only set bytea_output on connect if requiredDamien Regad1-2/+5
PostgreSQL 9.0 changed the default output for bytea from 'escape' to 'hex', and PHP does not handle data properly if compiled with postgres library < 9.2. Reference - https://bugs.php.net/bug.php?id=59831 - https://bugs.horde.org/ticket/10919#c4 So setting bytea_output=escape is only needed when server >= 9.0 and client < 9.2.
2017-11-26pgsql: remove unnecessary SELECT when connectingDamien Regad1-3/+3
Make use of the revised ServerInfo() method to avoid running a query with each connection to retrieve the server version number. Fixes #334
2017-11-26pgsql: ServerInfo() now returns client version tooDamien Regad1-7/+11
2017-11-26pgsql: new ServerInfo() param to avoid unnecessary SELECTDamien Regad1-6/+28
The PostgreSQL server version number can be retrieved through pg_parameter_status(). A new optional parameter was added to allow caller to only retrieve the version number without executing an extra SQL statement. To maintain backwards compatibility and keep returning a detailed version string in the 'description' key of the version array as the code used to do, the parameter defaults to true.
2017-11-26Merge branch 'hotfix/5.20.10'Damien Regad1-2/+2
2017-11-26mysql: fix typo in _connect() error messageRyan P.C. McQuen1-1/+1
2017-11-26mysqli: suppress error on db connectRyan P.C. McQuen1-1/+1
This way if the connection fails, the error can be captured and used as intended. Without this, mysqli_real_connect() triggers a PHP warning. Fixes #348
2017-11-25Merge branch 'hotfix/5.20.10'Damien Regad4-5/+32
2017-11-25Ensure SelectLimit $nrows and`$offset parameters are integersDamien Regad1-0/+2
The same is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`. This lowers the risk of SQL injection. Fixes #311
2017-11-25MSSQL driver: support alternative port in connectMerijn1-0/+2
Fix actually using the alternative port if it was specified. The base driver class will strip the port from hostname and put it in port property. So now add it again if it was set. Fixes #314
2017-11-25mssql: string keys are not allowed in parameters arraysAndreas Thaden1-2/+0
Fixes #316
2017-11-25PDO sqlsrv fix auto-commit errormarcelto3-3/+32
Add SetAutoCommit() method for PDO drivers. Avoids PDO Error: The auto-commit mode cannot be changed for this driver Fixes #347
2017-11-25Replace each() with foreach for PHP7.2 compatibilityMarina Glancy3-5/+5
2017-08-09PDO pgsql: add support for transactionsdulaman1-0/+60
Fixes PDO Errors: - The transaction isolation level cannot be changed for this driver - The auto-commit mode cannot be changed for this driver Fixes #363 Signed-off-by: Damien Regad <dregad@mantisbt.org>
2017-08-09PDO sqlsrv: add SetTransactionMode methoddulaman1-0/+11
Fixes PDO Error: The transaction isolation level cannot be changed for this driver. Fixes #362 Signed-off-by: Damien Regad <dregad@mantisbt.org>
2017-08-09Use include_once instead of include (#361)Merijn13-15/+15
Most of the includes in adodb.inc.php are done with include_once but in a couple locations its still done with include. This is the case for adodb-lib.inc.php which is conditionally included based on a global var. I ran into problems with running adodb in debug mode while running phpunit tests. Phpunit will reset the global vars and thus break the include mechanism. This is a problem of phpunit and can be worked around. However it would make adodb more robust to just use include_once everywhere. It will remove the dependency on the $ADODB_INCLUDED_LIB global var. I also replaced one include statement in adodb-time.inc.php, in various drivers and other files too, so include_once is used everywhere. Signed-off-by: Damien Regad <dregad@mantisbt.org>
2017-05-08Ensure that the bind array is numeric, see #336Mark Newnham1-1/+8
2016-12-21Merge branch 'hotfix/5.20.9'Damien Regad1-1/+1
Conflicts: docs/changelog.md
2016-12-21Bump version to 5.21.0-devDamien Regad56-56/+56
2016-12-21Bump version to 5.20.9v5.20.9Damien Regad56-56/+56
2016-12-17mssql: Fix syntax error in version matching regexDamien Regad1-1/+1
Regression introduced by 7c758c3cbb9ecc639f5744d991e8a6d5c35e5be4. Fixes #305
2016-12-17Whitespace, coding guidelinesDamien Regad1-56/+55
2016-12-17mssql: initialize mssql_version at connection timeDamien Regad1-8/+3
This avoids having to test whether the property has been set, and to call the ServerVersion() method several times.
2016-12-17Merge branch 'hotfix/5.20.8'Damien Regad3-63/+80
Conflicts: drivers/adodb-mssqlnative.inc.php
2016-12-17Reset version to avoid merge conflictsDamien Regad56-56/+56
2016-12-17Bump version to 5.20.8v5.20.8Damien Regad56-56/+56
2016-12-17oci8po: fix SelectLimit() with prepared statementsDamien Regad2-26/+42
The ADOdb_oci8::SelectLimit() method performs Oracle-specific query optimization, manipulating the SQL to apply hints in a way that is not compatible with the oci8po driver, due to conversion of query parameters ('?' vs oci8 native ':xx'). To avoid the problem, we define the SelectLimit() method directly in ADODB_oci8po, and rely on the slower ADOConnection::SelectLimit() method from the base class. Also, to avoid issues with prepared statements causing PHP to throw a Warning: "oci_execute(): supplied resource is not a valid oci8 statement resource", we retrieve the prepared statement's SQL and pass it on to ADOConnection::SelectLimit(). Fixes #282
2016-12-17mssql: Method errorno returned -1 on success instead of 0Mark Newnham1-2/+1
The method incorrectly returned -1 for success instead of 0. In addition, the method attempted to distinguish between warnings and errors produced by the SQL Server parameter "WarningsReturnAsErrors" when logging was enabled, but in ADOdb logging this parameter is always set false so the code was removed. Fixes #298
2016-12-17mssql: default sequence name consistencyDamien Regad1-1/+1
Use 'adodbseq' everywhere
2016-12-17mssql: fix parameter forwarding in GenID methodsLaurent Navarro1-5/+5
Incorrect forwarding of parameter values from GenID() to GenID2008/2012 forced the sequence name to the default of 'adodbseq'. Fixes #300
2016-12-17mssql: GenId2008() not returning next value in sequenceLaurent Navarro1-1/+1
Fixes #302
2016-12-17mssql: fix typo in class variable nameDamien Regad1-1/+1
2016-12-17pgsql: PHPDoc block for blobEncode()Damien Regad1-7/+11
Fix broken link to PostgreSQL online documentation.
2016-12-01mssql: Workaround to fix query not returning idDamien Regad1-1/+1
This modified regex allows matching of empty strings and is much more efficient than the original one. A better fix for this will be available in v5.21 Fixes #185
2016-11-27method errorno returned -1 on success instead of 0 , see #298Mark Newnham1-2/+1
The method incorrectly returned -1 for success instead of 0. In addition, the method attempted to distinguish between warnings and errors produced by the SQL Server parameter "WarningsReturnAsErrors" when logging was enabled, but in ADOdb logging this parameter is always set false so the code was removed.