BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping

This commit is contained in:
Ingo Schommer 2011-09-15 14:15:41 +02:00
parent dc84665ec2
commit c776a1cd67
8 changed files with 17 additions and 16 deletions

View File

@ -16,8 +16,10 @@ See [http://shiflett.org/articles/sql-injection](http://shiflett.org/articles/sq
### Automatic escaping ### Automatic escaping
SilverStripe automatically runs [addslashes()](http://php.net/addslashes) in DataObject::write() wherever possible. Data SilverStripe automatically escapes data in `[api:DataObject::write()]` wherever possible,
is escaped when saving back to the database, not when writing to object-properties. through database-specific methods (see `[api:Database->addslashes()]`).
For `[api:MySQLDatabase]`, this will be `[mysql_real_escape_string()](http://de3.php.net/mysql_real_escape_string)`.
Data is escaped when saving back to the database, not when writing to object-properties.
* DataObject::get_by_id() * DataObject::get_by_id()
* DataObject::update() * DataObject::update()

View File

@ -87,7 +87,7 @@ class Folder extends File {
// First, merge any children that are duplicates // First, merge any children that are duplicates
$duplicateChildrenNames = DB::query("SELECT \"Name\" FROM \"File\" WHERE \"ParentID\" = $parentID GROUP BY \"Name\" HAVING count(*) > 1")->column(); $duplicateChildrenNames = DB::query("SELECT \"Name\" FROM \"File\" WHERE \"ParentID\" = $parentID GROUP BY \"Name\" HAVING count(*) > 1")->column();
if($duplicateChildrenNames) foreach($duplicateChildrenNames as $childName) { if($duplicateChildrenNames) foreach($duplicateChildrenNames as $childName) {
$childName = DB::getConn()->addslashes($childName); $childName = Convert::raw2sql($childName);
// Note, we do this in the database rather than object-model; otherwise we get all sorts of problems about deleting files // Note, we do this in the database rather than object-model; otherwise we get all sorts of problems about deleting files
$children = DB::query("SELECT \"ID\" FROM \"File\" WHERE \"Name\" = '$childName' AND \"ParentID\" = $parentID")->column(); $children = DB::query("SELECT \"ID\" FROM \"File\" WHERE \"Name\" = '$childName' AND \"ParentID\" = $parentID")->column();
if($children) { if($children) {
@ -194,10 +194,10 @@ class Folder extends File {
if(Member::currentUser()) $ownerID = Member::currentUser()->ID; if(Member::currentUser()) $ownerID = Member::currentUser()->ID;
else $ownerID = 0; else $ownerID = 0;
$filename = DB::getConn()->addslashes($this->Filename . $name); $filename = Convert::raw2sql($this->Filename . $name);
if($className == 'Folder' ) $filename .= '/'; if($className == 'Folder' ) $filename .= '/';
$name = DB::getConn()->addslashes($name); $name = Convert::raw2sql($name);
DB::query("INSERT INTO \"File\" DB::query("INSERT INTO \"File\"
(\"ClassName\", \"ParentID\", \"OwnerID\", \"Name\", \"Filename\", \"Created\", \"LastEdited\", \"Title\") (\"ClassName\", \"ParentID\", \"OwnerID\", \"Name\", \"Filename\", \"Created\", \"LastEdited\", \"Title\")

View File

@ -152,7 +152,7 @@ class ComponentSet extends DataObjectSet {
$extraKeys = $extraValues = ''; $extraKeys = $extraValues = '';
if($extraFields) foreach($extraFields as $k => $v) { if($extraFields) foreach($extraFields as $k => $v) {
$extraKeys .= ", \"$k\""; $extraKeys .= ", \"$k\"";
$extraValues .= ", '" . DB::getConn()->addslashes($v) . "'"; $extraValues .= ", '" . Convert::raw2sql($v) . "'";
} }
DB::query("INSERT INTO \"$this->tableName\" (\"$parentField\",\"$childField\" $extraKeys) VALUES ({$this->ownerObj->ID}, {$item->ID} $extraValues)"); DB::query("INSERT INTO \"$this->tableName\" (\"$parentField\",\"$childField\" $extraKeys) VALUES ({$this->ownerObj->ID}, {$item->ID} $extraValues)");

View File

@ -347,9 +347,9 @@ class MySQLDatabase extends SS_Database {
if($field['Default'] || $field['Default'] === "0") { if($field['Default'] || $field['Default'] === "0") {
if(is_numeric($field['Default'])) if(is_numeric($field['Default']))
$fieldSpec .= " default " . addslashes($field['Default']); $fieldSpec .= " default " . Convert::raw2sql($field['Default']);
else else
$fieldSpec .= " default '" . addslashes($field['Default']) . "'"; $fieldSpec .= " default '" . Convert::raw2sql($field['Default']) . "'";
} }
if($field['Extra']) $fieldSpec .= " $field[Extra]"; if($field['Extra']) $fieldSpec .= " $field[Extra]";
@ -866,8 +866,7 @@ class MySQLDatabase extends SS_Database {
} }
/* /*
* This will return text which has been escaped in a database-friendly manner * This will return text which has been escaped in a database-friendly manner.
* Using PHP's addslashes method won't work in MSSQL
*/ */
function addslashes($value){ function addslashes($value){
return mysql_real_escape_string($value, $this->dbConn); return mysql_real_escape_string($value, $this->dbConn);

View File

@ -406,7 +406,7 @@ class Versioned extends DataExtension {
// Add any extra, unchanged fields to the version record. // Add any extra, unchanged fields to the version record.
$data = DB::query("SELECT * FROM \"$table\" WHERE \"ID\" = $id")->record(); $data = DB::query("SELECT * FROM \"$table\" WHERE \"ID\" = $id")->record();
if($data) foreach($data as $k => $v) { if($data) foreach($data as $k => $v) {
if (!isset($newManipulation['fields'][$k])) $newManipulation['fields'][$k] = "'" . DB::getConn()->addslashes($v) . "'"; if (!isset($newManipulation['fields'][$k])) $newManipulation['fields'][$k] = "'" . Convert::raw2sql($v) . "'";
} }
// Set up a new entry in (table)_versions // Set up a new entry in (table)_versions

View File

@ -59,7 +59,7 @@ class Boolean extends DBField {
*/ */
function prepValueForDB($value) { function prepValueForDB($value) {
if(strpos($value, '[')!==false) if(strpos($value, '[')!==false)
return addslashes($value); return Convert::raw2sql($value);
else { else {
if($value && strtolower($value) != 'f') { if($value && strtolower($value) != 'f') {
return "'1'"; return "'1'";

View File

@ -59,9 +59,9 @@ class Decimal extends DBField {
if(strpos($value, '[')===false) if(strpos($value, '[')===false)
return '0'; return '0';
else else
return addslashes($value); return Convert::raw2sql($value);
} else { } else {
return addslashes($value); return Convert::raw2sql($value);
} }
} }

View File

@ -57,9 +57,9 @@ class Int extends DBField {
if(strpos($value, '[')===false) if(strpos($value, '[')===false)
return '0'; return '0';
else else
return addslashes($value); return Convert::raw2sql($value);
} else { } else {
return addslashes($value); return Convert::raw2sql($value);
} }
} }