mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping
This commit is contained in:
Ingo Schommer
parent
ca7878453f
commit
6d6c294ae3
@ -129,7 +129,7 @@ class ComponentSet extends DataObjectSet {
|
||||
|
||||
$extraSQL = '';
|
||||
if($extraFields) foreach($extraFields as $k => $v) {
|
||||
$extraSQL .= ", $k = '" . addslashes($v) . "'";
|
||||
$extraSQL .= ", $k = '" . Convert::raw2sql($v) . "'";
|
||||
}
|
||||
|
||||
DB::query("INSERT INTO `$this->tableName` SET $parentField = {$this->ownerObj->ID}, $childField = {$item->ID} $extraSQL");
|
||||
|
||||
@ -290,7 +290,7 @@ class MySQLDatabase extends Database {
|
||||
}
|
||||
|
||||
if($field['Default'] || $field['Default'] === "0") {
|
||||
$fieldSpec .= " default '" . addslashes($field['Default']) . "'";
|
||||
$fieldSpec .= " default '" . Convert::raw2sql($field['Default']) . "'";
|
||||
}
|
||||
if($field['Extra']) $fieldSpec .= " $field[Extra]";
|
||||
|
||||
|
||||
@ -273,7 +273,7 @@ class Versioned extends DataObjectDecorator {
|
||||
// Add any extra, unchanged fields to the version record.
|
||||
$data = DB::query("SELECT * FROM `$table` WHERE ID = $id")->record();
|
||||
if($data) foreach($data as $k => $v) {
|
||||
if (!isset($newManipulation['fields'][$k])) $newManipulation['fields'][$k] = "'" . addslashes($v) . "'";
|
||||
if (!isset($newManipulation['fields'][$k])) $newManipulation['fields'][$k] = "'" . Convert::raw2sql($v) . "'";
|
||||
}
|
||||
|
||||
// Set up a new entry in (table)_versions
|
||||
|
||||
@ -64,7 +64,7 @@ class Boolean extends DBField {
|
||||
} if(!$value || !is_numeric($value)) {
|
||||
return "0";
|
||||
} else {
|
||||
return addslashes($value);
|
||||
return Convert::raw2sql($value);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ abstract class DBField extends ViewableData {
|
||||
if($value === null || $value === "" || $value === false) {
|
||||
return "null";
|
||||
} else {
|
||||
return "'" . addslashes($value) . "'";
|
||||
return "'" . Convert::raw2sql($value) . "'";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -55,7 +55,7 @@ class Decimal extends DBField {
|
||||
} if(!$value || !is_numeric($value)) {
|
||||
return "0";
|
||||
} else {
|
||||
return addslashes($value);
|
||||
return Convert::raw2sql($value);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ class Float extends DBField {
|
||||
} if(!$value || !is_numeric($value)) {
|
||||
return "0";
|
||||
} else {
|
||||
return addslashes($value);
|
||||
return Convert::raw2sql($value);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ class Int extends DBField {
|
||||
} if(!$value || !is_numeric($value)) {
|
||||
return "0";
|
||||
} else {
|
||||
return addslashes($value);
|
||||
return Convert::raw2sql($value);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -332,7 +332,7 @@ class File extends DataObject {
|
||||
$ext = "";
|
||||
}
|
||||
$suffix = 1;
|
||||
while(DataObject::get_one("File", "Name = '" . addslashes($name) . "' AND ParentID = " . (int)$this->ParentID)) {
|
||||
while(DataObject::get_one("File", "Name = '" . Convert::raw2sql($name) . "' AND ParentID = " . (int)$this->ParentID)) {
|
||||
$suffix++;
|
||||
$name = "$base-$suffix$ext";
|
||||
}
|
||||
|
||||
@ -159,10 +159,10 @@ class Folder extends File {
|
||||
if(Member::currentUser()) $ownerID = Member::currentUser()->ID;
|
||||
else $ownerID = 0;
|
||||
|
||||
$filename = addslashes($this->Filename . $name);
|
||||
$filename = Convert::raw2sql($this->Filename . $name);
|
||||
if($className == 'Folder' ) $filename .= '/';
|
||||
|
||||
$name = addslashes($name);
|
||||
$name = Convert::raw2sql($name);
|
||||
|
||||
DB::query("INSERT INTO `File` SET
|
||||
ClassName = '$className', ParentID = $this->ID, OwnerID = $ownerID,
|
||||
|
||||
@ -82,7 +82,7 @@ class AdvancedSearchForm extends SearchForm {
|
||||
foreach($_REQUEST['OnlyShow'] as $section => $checked) {
|
||||
$items = explode(",", $section);
|
||||
foreach($items as $item) {
|
||||
$page = DataObject::get_one('SiteTree', "URLSegment = '" . addslashes($item) . "'");
|
||||
$page = DataObject::get_one('SiteTree', "URLSegment = '" . Convert::raw2sql($item) . "'");
|
||||
$pageList[] = $page->ID;
|
||||
if(!$page) user_error("Can't find a page called '$item'", E_USER_WARNING);
|
||||
$page->loadDescendantIDListInto($pageList);
|
||||
|
||||
@ -174,7 +174,7 @@ class SearchForm extends Form {
|
||||
public function searchEngine($keywords, $pageLength = null, $sortBy = "Relevance DESC", $extraFilter = "", $booleanSearch = false, $alternativeFileFilter = "", $invertedMatch = false) {
|
||||
if(!$pageLength) $pageLength = $this->pageLength;
|
||||
$fileFilter = '';
|
||||
$keywords = addslashes($keywords);
|
||||
$keywords = Convert::raw2sql($keywords);
|
||||
|
||||
$extraFilters = array('SiteTree' => '', 'File' => '');
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user