From: Roland Häder Date: Sat, 13 Aug 2011 21:47:53 +0000 (+0000) Subject: Better secure the '()' and ' parts... (sorry for this silly message) X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=44238109dbcdd05517f5f64762e9a46463f180f3;p=mailer.git Better secure the '()' and ' parts... (sorry for this silly message) --- diff --git a/inc/sql-functions.php b/inc/sql-functions.php index a4bf3ee88d..d0f720ed05 100644 --- a/inc/sql-functions.php +++ b/inc/sql-functions.php @@ -136,13 +136,16 @@ function getUpdateSqlFromArray ($array, $tableName, $whereColumn, $whereData, $e continue; } // END - if - // Do we have a non-string (e.g. number, NULL, NOW() or back-tick at the beginning? + // Do we have a non-string (e.g. number, NULL, SQL function or back-tick at the beginning? if (is_null($multiDimId)) { // Handle one-dimensional data if (is_null($value)) { // NULL detected $SQL .= '`' . $entry . '`=NULL,'; - } elseif (('' . bigintval($value, true, false) . '' == '' . $value . '') || ($value == 'NOW()') || (substr($value, 0, 1) == '`')) { + } elseif ((substr($value, -2, 2) == '()') || (substr($value, 0, 1) == '`')) { + // SQL function needs no ticks (') + $SQL .= '`' . $entry . '`=' . SQL_ESCAPE($value) . ','; + } elseif ('' . bigintval($value, true, false) . '' == '' . $value . '') { // No need for ticks (') $SQL .= '`' . $entry . '`=' . $value . ','; } else { @@ -154,7 +157,10 @@ function getUpdateSqlFromArray ($array, $tableName, $whereColumn, $whereData, $e if (is_null($value[$multiDimId])) { // NULL detected $SQL .= '`' . $entry . '`=NULL,'; - } elseif (('' . bigintval($value[$multiDimId], true, false) . '' == '' . $value[$multiDimId] . '') || ($value[$multiDimId] == 'NOW()') || (substr($value[$multiDimId], 0, 1) == '`')) { + } elseif ((substr($value[$multiDimId], -2, 2) == '()') || (substr($value[$multiDimId], 0, 1) == '`')) { + // SQL function needs no ticks (') + $SQL .= '`' . $entry . '`=' . SQL_ESCAPE($value[$multiDimId]) . ','; + } elseif (('' . bigintval($value[$multiDimId], true, false) . '' == '' . $value[$multiDimId] . '')) { // No need for ticks (') $SQL .= '`' . $entry . '`=' . $value[$multiDimId] . ','; } else { @@ -189,6 +195,9 @@ function getInsertSqlFromArray ($array, $tableName) { if (is_null($value)) { // Add NULL $SQL .= 'NULL,'; + } elseif (substr($value, -2, 2) == '()') { + // SQL function needs no ticks (') + $SQL .= SQL_ESCAPE($value) . ','; } elseif ('' . bigintval($value, true, false) . '' == '' . $value . '') { // Number detected, no need for ticks (') $SQL .= bigintval($value) . ',';