From 4d4ec8d54852d0939e17ddf796032c7f2725a459 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sat, 17 Dec 2005 21:23:36 +0000 Subject: [PATCH] The notion of automatically escaping text for us is stupid... it no longer exists; if you want to insert something into the database, use ISSO->escape(). We need to also check to see what happens if magic quotes is on... --- api.php | 35 ++++++++++++++++++++++++++++++++--- kernel.php | 41 +++++++---------------------------------- mail.php | 6 +++--- 3 files changed, 42 insertions(+), 40 deletions(-) diff --git a/api.php b/api.php index 3591a53..f94ba82 100644 --- a/api.php +++ b/api.php @@ -237,7 +237,7 @@ class API continue; } - $this->condition = "$name = " . (($options[F_TYPE] == TYPE_NOCLEAN OR $options[F_TYPE] == TYPE_STR OR $options[F_TYPE] == TYPE_STRUN) ? "'" . $this->values["$name"] . "'" : $this->values["$name"]); + $this->condition = "$name = " . $this->prepare_field_for_sql($name); } } @@ -317,7 +317,7 @@ class API foreach ($this->setfields AS $field) { $fields[] = $field; - $values[] = (($this->fields["$field"][F_TYPE] == TYPE_NOCLEAN OR $this->fields["$field"][F_TYPE] == TYPE_STR OR $this->fields["$field"][F_TYPE] == TYPE_STRUN) ? "'" . $this->values["$field"] . "'" : $this->values["$field"]); + $values[] = $this->prepare_field_for_sql($field); } $this->registry->modules['db_mysql']->query("INSERT INTO {$this->prefix}{$this->table} (" . implode(',', $fields) . ") VALUES (" . implode(',', $values) . ")"); @@ -343,7 +343,7 @@ class API foreach ($this->setfields AS $field) { - $updates[] = "$field = " . (($this->fields["$field"][F_TYPE] == TYPE_NOCLEAN OR $this->fields["$field"][F_TYPE] == TYPE_STR OR $this->fields["$field"][F_TYPE] == TYPE_STRUN) ? "'" . $this->values["$field"] . "'" : $this->values["$field"]); + $updates[] = "$field = " . $this->prepare_field_for_sql($field); } $updates = implode(', ', $updates); @@ -416,6 +416,35 @@ class API $actmethod = (method_exists($this, $method) ? $this->$method() : ''); } + // ################################################################### + /** + * Prepares a value for use in a SQL query; it encases and escapes + * strings and string-like values + * + * @access private + * + * @param string Field name + * + * @return string Prepared value entry + */ + function prepare_field_for_sql($name) + { + $type = $this->fields["$field"][F_TYPE]; + + if ($type == TYPE_NOCLEAN OR $type == TYPE_STR OR $type == TYPE_STRUN) + { + return "'" . $this->registry->escape($this->values["$name"]) . "'"; + } + else if ($type == TYPE_BOOL) + { + return (int)$this->values["$name"]; + } + else + { + return $this->values["$name"]; + } + } + // ################################################################### /** * Verify field: not a zero value diff --git a/kernel.php b/kernel.php index fcd7a44..69a678e 100644 --- a/kernel.php +++ b/kernel.php @@ -577,14 +577,7 @@ class Shared_Object_Framework } else { - if ($this->escapestrings) - { - $data["$key"] = $this->escape($this->sanitize($value), false, false); - } - else - { - $data["$key"] = $this->sanitize($value); - } + $data["$key"] = $this->sanitize($value); } } return $data; @@ -597,13 +590,12 @@ class Shared_Object_Framework * @access public * * @param string Unsanitzed text - * @param bool Force magic quotes off? * * @return string Properly protected text that only encodes potential threats */ - function sanitize($text, $force = false) + function sanitize($text) { - if ($this->magicquotes AND !$force) + if ($this->magicquotes) { return str_replace(array('<', '>', '\"', '"'), array('<', '>', '"', '"'), $text); } @@ -637,20 +629,12 @@ class Shared_Object_Framework * @access public * * @param string Text that needs to be turned back into HTML - * @param bool Force magicquotes off * * @return string Unsanitized text */ - function unsanitize($text, $force = false) + function unsanitize($text) { - if ($this->magicquotes AND !$force) - { - return str_replace(array('<', '>', '"'), array('<', '>', '\"'), $text); - } - else - { - return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); - } + return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); } // ################################################################### @@ -701,11 +685,6 @@ class Shared_Object_Framework function exec_sanitize_data() { $this->in = $this->_sanitize_input_recursive(array_merge($_GET, $_POST, $_COOKIE)); - // we're now using magic quotes - if ($this->escapestrings) - { - $this->magicquotes = 1; - } } // ################################################################### @@ -782,10 +761,7 @@ class Shared_Object_Framework } else if ($type == TYPE_STR) { - if (!$this->escapestrings) - { - $value = $this->escape($value); - } + $value = $value; } else if ($type == TYPE_STRUN) { @@ -793,10 +769,7 @@ class Shared_Object_Framework } else if ($type == TYPE_NOCLEAN) { - if ($this->escapestrings) - { - $value = $this->escape($value); - } + $value = $value; } else { diff --git a/mail.php b/mail.php index 1deef83..2708cc6 100644 --- a/mail.php +++ b/mail.php @@ -127,7 +127,7 @@ class Mail } else { - $this->from = trim($this->registry->unsanitize($this->from, true)); + $this->from = trim($this->registry->unsanitize($this->from)); } if (!$this->fromname) @@ -136,7 +136,7 @@ class Mail } else { - $this->fromname = trim($this->registry->unsanitize($this->fromname, true)); + $this->fromname = trim($this->registry->unsanitize($this->fromname)); } if (!$this->to) @@ -156,7 +156,7 @@ class Mail } else { - $this->subject = trim($this->registry->unsanitize($this->_fetch_first_line($this->subject), true)); + $this->subject = trim($this->registry->unsanitize($this->_fetch_first_line($this->subject))); } if (!$this->body) -- 2.22.5