Remove NUL-Bytes directly in request_var() for strings and within the custom DBAL sql_escape() functions (MSSQL, Firebird, Oracle) (reported by AdhostMikeSw)

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8967 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-07-30 21:40:43 +02:00 · 2008-10-02 12:04:12 +00:00
parent ed4797bb4e
commit 2c1d80c75a
6 changed files with 6 additions and 5 deletions
--- a/phpBB/includes/db/mssql.php
+++ b/phpBB/includes/db/mssql.php
@@ -328,7 +328,7 @@ class dbal_mssql extends dbal
 	*/
 	function sql_escape($msg)
 	{
-		return str_replace("'", "''", $msg);
+		return str_replace(array("'", "\0"), array("''", ''), $msg);
 	}

 	/**