SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_escape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()

core/Convert.php

@@ -104,9 +104,8 @@ class Convert extends Object {
 		if(is_array($val)) {
 			foreach($val as $k => $v) $val[$k] = self::raw2sql($v);
 			return $val;
-			
 		} else {
-			return addslashes($val);
+			return DB::getConn()->addslashes($val);
 		}
 	}
 

core/model/Database.php

@@ -111,6 +111,14 @@ abstract class Database extends Object {
 	 */
 	protected abstract function tableList();
 	
+	/**
+	 * Returns an escaped string.
+	 *
+	 * @param string
+	 * @return string - escaped string
+	 */
+	abstract function addslashes($val);
+	
 	/**
 	 * The table list, generated by the tableList() function.
 	 * Used by the requireTable() function.

core/model/MySQLDatabase.php

@@ -400,6 +400,13 @@ class MySQLDatabase extends Database {
 		
 		user_error($msg, $errorLevel);
 	}
+	
+	/*
+	 * This will return text which has been escaped in a database-friendly manner.
+	 */
+	function addslashes($value){
+		return mysql_real_escape_string($value, $this->dbConn);
+	}
 }
 
 /**