From: Glenn H. <thr...@us...> - 2006-01-05 03:58:04
|
Update of /cvsroot/mantisbt/mantisbt/core In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv553/core Modified Files: Tag: BRANCH_0_19_3 database_api.php Log Message: fix for 0006556: XSS Vulnerability in manage_user (TKADV2005-11-002) Index: database_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/database_api.php,v retrieving revision 1.38 retrieving revision 1.38.4.1 diff -u -d -r1.38 -r1.38.4.1 --- database_api.php 9 Dec 2004 18:55:06 -0000 1.38 +++ database_api.php 5 Jan 2006 03:57:56 -0000 1.38.4.1 @@ -175,6 +175,12 @@ } # -------------------- + function db_field_names( $p_table_name ) { + global $g_db; + return $g_db->MetaColumnNames( $p_table_name ); + } + + # -------------------- # Check if there is an index defined on the specified table/field and with # the specified type. # @@ -236,6 +242,7 @@ # -------------------- # prepare a string before DB insertion # @@@ should default be return addslashes( $p_string ); or generate an error + # @@@ Consider using ADODB escaping for all databases. function db_prepare_string( $p_string ) { global $g_db; $t_db_type = config_get( 'db_type' ); @@ -246,11 +253,15 @@ return addslashes( $p_string ); case 'mysql': - return mysql_escape_string( $p_string ); + # mysql_escape_string was deprecated in v4.3.0 + if ( php_version_at_least( '4.3.0' ) ) { + return mysql_real_escape_string( $p_string ); + } else { + return mysql_escape_string( $p_string ); + } # For some reason mysqli_escape_string( $p_string ) always returns an empty # string. This is happening with PHP v5.0.2. - # @@@ Consider using ADODB escaping for all databases. case 'mysqli': $t_escaped = $g_db->qstr( $p_string, false ); return substr( $t_escaped, 1, strlen( $t_escaped ) - 2 ); |