From: Roland Häder <roland@mxchange.org>
Date: Wed, 24 Oct 2012 23:03:27 +0000 (+0000)
Subject: Fixes:
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=9a672c035f9bfb10aca00be32e1125973e624a58;p=mailer.git

Fixes:
- The character ' is not wanted in URLs generally, so secure it
- Don't do compileUriCode() in whole SQL statement
---

diff --git a/inc/db/lib-mysql3.php b/inc/db/lib-mysql3.php
index 4d7910d0b9..0f065e1189 100644
--- a/inc/db/lib-mysql3.php
+++ b/inc/db/lib-mysql3.php
@@ -587,13 +587,13 @@ function SQL_PREPARE_SQL_STRING ($sqlString, $enableCodes = TRUE) {
 
 	// Is it already cached?
 	if (!isset($GLOBALS['sql_strings']['' . $sqlString . ''])) {
-		// Compile URI codes+config+expression code
-		$sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG(compileUriCode($sqlString)));
+		// Preserve escaping and compile URI codes+config+expression code
+		$sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG($sqlString));
 
 		// Debug message
 		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString2=' . $sqlString2);
 
-		// Do final compilation
+		// Do final compilation and revert {ESCAPE}
 		$GLOBALS['sql_strings']['' . $sqlString . ''] = doFinalCompilation($sqlString2, FALSE, $enableCodes);
 	} else {
 		// Log message
diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php
index 67aea96219..e73036ca9b 100644
--- a/inc/libs/security_functions.php
+++ b/inc/libs/security_functions.php
@@ -181,7 +181,7 @@ if (!isset($_POST)) {
 // Generate arrays which holds the relevante chars to replace
 $GLOBALS['security_chars'] = array(
 	// The chars we are looking for...
-	'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)),
+	'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39)),
 	// ... and we will replace to.
 	'to'   => array(
 		'{SLASH}',
@@ -200,12 +200,13 @@ $GLOBALS['security_chars'] = array(
 		'{CLOSE_INDEX}',
 		'{DBL_DOT}',
 		'{COMMENT}',
-		'{BACKSLASH}'
+		'{BACKSLASH}',
+		'{SQUOTE}'
 	),
 );
 
 /*
- * Characters allowed in URLs
+ * Characters allowed in booked URLs
  *
  * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be
  *       rejected because of the {SLASH}, {DOT} and all below listed items inside the URL.