From: Roland Häder <roland@mxchange.org>
Date: Sat, 13 Aug 2011 21:47:53 +0000 (+0000)
Subject: Better secure the '()' and ' parts... (sorry for this silly message)
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;ds=inline;h=44238109dbcdd05517f5f64762e9a46463f180f3;p=mailer.git

Better secure the '()' and ' parts... (sorry for this silly message)
---

diff --git a/inc/sql-functions.php b/inc/sql-functions.php
index a4bf3ee88d..d0f720ed05 100644
--- a/inc/sql-functions.php
+++ b/inc/sql-functions.php
@@ -136,13 +136,16 @@ function getUpdateSqlFromArray ($array, $tableName, $whereColumn, $whereData, $e
 			continue;
 		} // END - if
 
-		// Do we have a non-string (e.g. number, NULL, NOW() or back-tick at the beginning?
+		// Do we have a non-string (e.g. number, NULL, SQL function or back-tick at the beginning?
 		if (is_null($multiDimId)) {
 			// Handle one-dimensional data
 			if (is_null($value)) {
 				// NULL detected
 				$SQL .= '`' . $entry . '`=NULL,';
-			} elseif (('' . bigintval($value, true, false) . '' == '' . $value . '') || ($value == 'NOW()') || (substr($value, 0, 1) == '`'))  {
+			} elseif ((substr($value, -2, 2) == '()') || (substr($value, 0, 1) == '`')) {
+				// SQL function needs no ticks (')
+				$SQL .= '`' . $entry . '`=' . SQL_ESCAPE($value) . ',';
+			} elseif ('' . bigintval($value, true, false) . '' == '' . $value . '')  {
 				// No need for ticks (')
 				$SQL .= '`' . $entry . '`=' . $value . ',';
 			} else {
@@ -154,7 +157,10 @@ function getUpdateSqlFromArray ($array, $tableName, $whereColumn, $whereData, $e
 			if (is_null($value[$multiDimId])) {
 				// NULL detected
 				$SQL .= '`' . $entry . '`=NULL,';
-			} elseif (('' . bigintval($value[$multiDimId], true, false) . '' == '' . $value[$multiDimId] . '') || ($value[$multiDimId] == 'NOW()') || (substr($value[$multiDimId], 0, 1) == '`'))  {
+			} elseif ((substr($value[$multiDimId], -2, 2) == '()') || (substr($value[$multiDimId], 0, 1) == '`')) {
+				// SQL function needs no ticks (')
+				$SQL .= '`' . $entry . '`=' . SQL_ESCAPE($value[$multiDimId]) . ',';
+			} elseif (('' . bigintval($value[$multiDimId], true, false) . '' == '' . $value[$multiDimId] . ''))  {
 				// No need for ticks (')
 				$SQL .= '`' . $entry . '`=' . $value[$multiDimId] . ',';
 			} else {
@@ -189,6 +195,9 @@ function getInsertSqlFromArray ($array, $tableName) {
 		if (is_null($value)) {
 			// Add NULL
 			$SQL .= 'NULL,';
+		} elseif (substr($value, -2, 2) == '()') {
+			// SQL function needs no ticks (')
+			$SQL .= SQL_ESCAPE($value) . ',';
 		} elseif ('' . bigintval($value, true, false) . '' == '' . $value . '') {
 			// Number detected, no need for ticks (')
 			$SQL .= bigintval($value) . ',';