jimeh/zynapse
1
0
Fork 0
mirror of https://github.com/jimeh/zynapse.git synced 2026-02-18 23:06:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed the sql-inject issue properly :P

Browse Source
This commit is contained in:
Jim Myhrberg
2010-02-26 23:10:08 +02:00
parent a2916d3ce0
commit 64fdd7d988
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
vendor/zynapse/active_record.php vendored
View File

@@ -613,14 +613,12 @@ class ActiveRecord {
$cond = array(); $cond = array();
foreach( $conditions as $key => $value ) { foreach( $conditions as $key => $value ) {
if ( !preg_match('/^[0-9]+$/', $key) && !is_array($value) ) { if ( !preg_match('/^[0-9]+$/', $key) && !is_array($value) ) {
$cond[] = '`'.$key."` = '".$value."'"; $cond[] = '`'.$key."` = ".$this->sql_quote($value);
} elseif ( !is_array($value) && preg_match('/^[0-9]+$/', $value) ) { } elseif ( !is_array($value) && preg_match('/^[0-9]+$/', $value) ) {
$cond[] = '`'.$this->_primary_key."` = '".$value."'"; $cond[] = '`'.$this->_primary_key."` = '".$value."'";
} elseif(is_array($value)) { } elseif(is_array($value)) {
$cond[] = '`'.$key."` IN (".implode(",",$this->sql_quote($value)).")"; $cond[] = '`'.$key."` IN (".implode(",",$this->sql_quote($value)).")";
} else { }
$cond[] = $this->sql_quote($value);
}
} }
$operator = ( !empty($options['operator']) ) ? $options['operator'] : 'AND' ; $operator = ( !empty($options['operator']) ) ? $options['operator'] : 'AND' ;
return ' WHERE '.implode(' '.$operator.' ', $cond); return ' WHERE '.implode(' '.$operator.' ', $cond);
@@ -871,7 +869,7 @@ class ActiveRecord {
if ( ($field == 'integer' || $field == 'decimal') && preg_match('/^[0-9\-\.]+$/', $input) ) { if ( ($field == 'integer' || $field == 'decimal') && preg_match('/^[0-9\-\.]+$/', $input) ) {
return $input; return $input;
} else { } else {
return "'".addslashes(urldecode($input))."'"; return "'".addslashes($input)."'";
} }
} }