mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-19 14:27:22 +01:00
Code Issues Projects Releases Wiki Activity

MDL-32907 prevent sql_like() backslash quoting problems in PostgreSQL

Browse Source
This commit is contained in:
Petr Skoda 2012-05-12 16:40:11 +02:00
parent 71d7bc34a8
commit ed63f7f883
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/dml/pgsql_native_moodle_database.php
View File

@ -1118,7 +1118,11 @@ class pgsql_native_moodle_database extends moodle_database {
if (strpos($param, '%') !== false) {
debugging('Potential SQL injection detected, sql_like() expects bound parameters (? or :named)');
}
$escapechar = pg_escape_string($this->pgsql, $escapechar); // prevents problems with C-style escapes of enclosing '\'
if ($escapechar === '\\') {
// Prevents problems with C-style escapes of enclosing '\',
// E'... bellow prevents compatibility warnings.
$escapechar = '\\\\';
}
// postgresql does not support accent insensitive text comparisons, sorry
if ($casesensitive) {
@ -1126,7 +1130,7 @@ class pgsql_native_moodle_database extends moodle_database {
} else {
$LIKE = $notlike ? 'NOT ILIKE' : 'ILIKE';
}
return "$fieldname $LIKE $param ESCAPE '$escapechar'";
return "$fieldname $LIKE $param ESCAPE E'$escapechar'";
}
public function sql_bitxor($int1, $int2) {

8
lib/dml/tests/dml_test.php
View File

@ -3512,6 +3512,14 @@ class dml_testcase extends database_driver_testcase {
$records = $DB->get_records_sql($sql, array("%D%"));
$this->assertEquals(count($records), 6);
// verify usual escaping characters work fine
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, true, false, '\\');
$records = $DB->get_records_sql($sql, array("ouc\\_"));
$this->assertEquals(count($records), 1);
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, true, false, '|');
$records = $DB->get_records_sql($sql, array("ouc|%"));
$this->assertEquals(count($records), 1);
// TODO: we do not require accent insensitivness yet, just make sure it does not throw errors
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, false);
$records = $DB->get_records_sql($sql, array('aui'));