From 1e5953f6bfcadb2cbdaead2e516c4401078e620d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 7 Oct 2013 18:29:24 +0000 Subject: [PATCH] Fixed handling of SQL strings --- inc/db/lib-mysqli.php | 4 +++- inc/functions.php | 2 +- inc/sql-functions.php | 11 ++++++++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/inc/db/lib-mysqli.php b/inc/db/lib-mysqli.php index 29c49158e4..27798e9bb2 100644 --- a/inc/db/lib-mysqli.php +++ b/inc/db/lib-mysqli.php @@ -44,7 +44,7 @@ if (!defined('__SECURITY')) { function sqlQuery ($sqlString, $file, $line, $enableCodes = TRUE) { // Is there cache? if (!isset($GLOBALS[__FUNCTION__][$sqlString])) { - //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'Called: ' . $sqlString); + /* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'Called: ' . $sqlString); // Trim SQL string $sqlStringModified = trim($sqlString); @@ -69,7 +69,9 @@ function sqlQuery ($sqlString, $file, $line, $enableCodes = TRUE) { $sqlStringModified = str_replace(array(chr(9), PHP_EOL, chr(13)), array(' ', ' ', ' '), $sqlStringModified); // Compile config entries out + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlStringModified=' . $sqlStringModified . ',enableCodes=' . intval($enableCodes)); $sqlStringModified = sqlPrepareQueryString($sqlStringModified, $enableCodes); + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlStringModified=' . $sqlStringModified . ',enableCodes=' . intval($enableCodes)); // Cache it and remember as last SQL query $GLOBALS[__FUNCTION__][$sqlString] = $sqlStringModified; diff --git a/inc/functions.php b/inc/functions.php index f08e83420e..3ee3d3b1ae 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -466,7 +466,7 @@ function redirectToUrl ($url, $allowSpider = TRUE) { // Three different ways to debug... //* DEBUG: */ reportBug(__FUNCTION__, __LINE__, 'URL=' . $url); //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'URL=' . $url); - /* DEBUG: */ die($url); + //* DEBUG: */ die($url); // We should not sent a redirect if headers are already sent if (!headers_sent()) { diff --git a/inc/sql-functions.php b/inc/sql-functions.php index cc16793be7..5686a79ff5 100644 --- a/inc/sql-functions.php +++ b/inc/sql-functions.php @@ -304,7 +304,9 @@ function sqlQueryEscaped ($sqlString, $data, $file, $line, $run = TRUE, $strip = // Escape all data foreach ($data as $key => $value) { + //* DEBUG: */ logDebugMessage(basename($file) . '/' . __FUNCTION__, $line . '/' . __LINE__, 'key=' . $key . ',value=' . $value . ',run=' . intval($run) . ',strip=' . intval($strip) . ',secure=' . intval($secure)); $dataSecured[$key] = sqlEscapeString($value, $secure, $strip); + //* DEBUG: */ logDebugMessage(basename($file) . '/' . __FUNCTION__, $line . '/' . __LINE__, 'dataSecured[key]=' . $dataSecured[$key]); } // END - foreach // Generate query @@ -546,20 +548,23 @@ function sqlPrepareQueryString ($sqlString, $enableCodes = TRUE) { // Is it already cached? if (!isset($GLOBALS['sql_strings']['' . $sqlString . ''])) { // Preserve escaping and compile URI codes+config+expression code - $sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG($sqlString)); + $sqlString2 = str_replace(chr(92), '{BACKLASH}', $sqlString); + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString2=' . $sqlString2); + $sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG($sqlString2)); // Debug message //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString2=' . $sqlString2); - // Do final compilation and revert {ESCAPE} + // Do final compilation and revert {BACKSLASH} $GLOBALS['sql_strings']['' . $sqlString . ''] = doFinalCompilation($sqlString2, FALSE, $enableCodes); + $GLOBALS['sql_strings']['' . $sqlString . ''] = str_replace('{BACKLASH}', chr(92), $GLOBALS['sql_strings']['' . $sqlString . '']); } else { // Log message //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString=' . $sqlString . ' - CACHE!'); } // Debug message - //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString=' . $sqlString . ',enableCodes=' . intval($enableCodes) . ',sql_strings=' . $GLOBALS['sql_strings']['' . $sqlString . ''] . ' - EXIT!'); + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString=' . $sqlString . ',enableCodes=' . intval($enableCodes) . ',returned sql_string=' . $GLOBALS['sql_strings']['' . $sqlString . ''] . ' - EXIT!'); // Return it return $GLOBALS['sql_strings']['' . $sqlString . '']; -- 2.39.5