MDL-19452 Fix oracle/mssql drivers behaviour when using magic_quotes_…

…sybase leading to wrongly escaped contents. Many thanks to Sam Moffatt! Merged from 19_STABLE
Mrmoodle · Jun 22, 2009 · 3cf4c8f · 3cf4c8f
1 parent a5d75d2
commit 3cf4c8f
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 10 deletions.
diff --git a/lib/adodb/adodb.inc.php b/lib/adodb/adodb.inc.php
@@ -2604,7 +2604,9 @@ function addq($s,$magic_quotes=false)
 		// undo magic quotes for "
 		$s = str_replace('\\"','"',$s);
 
-		if ($this->replaceQuote == "\\'")  // ' already quoted, no need to change anything
+		// moodle change start - see readme_moodle.txt
+		if ($this->replaceQuote == "\\'" || ini_get('magic_quotes_sybase'))  // ' already quoted, no need to change anything
+		// moodle change end - see readme_moodle.txt
 			return $s;
 		else {// change \' to '' for sybase/mssql
 			$s = str_replace('\\\\','\\',$s);
@@ -2638,7 +2640,9 @@ function qstr($s,$magic_quotes=false)
 		// undo magic quotes for "
 		$s = str_replace('\\"','"',$s);
 
-		if ($this->replaceQuote == "\\'")  // ' already quoted, no need to change anything
+		// moodle change start - see readme_moodle.txt
+		if ($this->replaceQuote == "\\'" || ini_get('magic_quotes_sybase'))  // ' already quoted, no need to change anything
+		// moodle change end - see readme_moodle.txt
 			return "'$s'";
 		else {// change \' to '' for sybase/mssql
 			$s = str_replace('\\\\','\\',$s);

diff --git a/lib/adodb/drivers/adodb-mssql.inc.php b/lib/adodb/drivers/adodb-mssql.inc.php
@@ -738,6 +738,46 @@ function _query($sql,$inputarr=false)
 		}
 		return $rez;
 	}
+
+// moodle change start - see readme_moodle.txt
+	/**
+	* Correctly quotes a string so that all strings are escaped. We prefix and append
+	* to the string single-quotes.
+	* An example is  $db->qstr("Don't bother",magic_quotes_runtime());
+	* 
+	* @param s         the string to quote
+	* @param [magic_quotes]    if $s is GET/POST var, set to get_magic_quotes_gpc().
+	*              This undoes the stupidity of magic quotes for GPC.
+	*
+	* @return  quoted string to be sent back to database
+	*/
+	function qstr($s,$magic_quotes=false)
+	{
+ 		if (!$magic_quotes) {
+
+ 			if ($this->replaceQuote[0] == '\\'){
+ 				// only since php 4.0.5
+ 				$s = adodb_str_replace(array('\\',"\0"),array('\\\\',"\\\0"),$s);
+ 				//$s = str_replace("\0","\\\0", str_replace('\\','\\\\',$s));
+ 			}
+ 			return  "'".str_replace("'",$this->replaceQuote,$s)."'";
+ 		}
+
+ 		// undo magic quotes for " unless sybase is on
+ 		$sybase = ini_get('magic_quotes_sybase');
+ 		if (!$sybase) {
+ 			$s = str_replace('\\"','"',$s);
+ 			if ($this->replaceQuote == "\\'")  // ' already quoted, no need to change anything
+ 				return "'$s'";
+ 			else {// change \' to '' for sybase/mssql
+ 				$s = str_replace('\\\\','\\',$s);
+ 				return "'".str_replace("\\'",$this->replaceQuote,$s)."'";
+ 			}
+ 		} else {
+ 			return "'".$s."'";
+		}
+	}
+// moodle change end - see readme_moodle.txt
 
 	// returns true or false
 	function _close()
@@ -1061,4 +1101,4 @@ static function UnixTimeStamp($v)
 http://www.databasejournal.com/scripts/article.php/1440551
 */
 
-?>
+?>
diff --git a/lib/adodb/drivers/adodb-oci8.inc.php b/lib/adodb/drivers/adodb-oci8.inc.php
@@ -1282,13 +1282,18 @@ function qstr($s,$magic_quotes=false)
 			}
 			return  "'".str_replace("'",$this->replaceQuote,$s)."'";
 		}
-
-		// undo magic quotes for "
-		$s = str_replace('\\"','"',$s);
-
-		$s = str_replace('\\\\','\\',$s);
-		return "'".str_replace("\\'",$this->replaceQuote,$s)."'";
-
+// moodle change start - see readme_moodle.txt
+
+		// undo magic quotes for " unless sybase is on
+		$sybase = ini_get('magic_quotes_sybase');
+		if (!$sybase) {
+			$s = str_replace('\\"','"',$s);
+			$s = str_replace('\\\\','\\',$s);
+			return "'".str_replace("\\'",$this->replaceQuote,$s)."'";
+		} else {
+			return "'".$s."'";
+		}
+// moodle change end - see readme_moodle.txt
 	}
 
 }

diff --git a/lib/adodb/readme_moodle.txt b/lib/adodb/readme_moodle.txt
@@ -18,6 +18,11 @@ Our changes: /// Look for "moodle" in adodb code
  * adodb-lib.inc.php - modify some debug output to be correct XHTML. MDL-12378.
        Reported to ADOdb at: http://phplens.com/lens/lensforum/msgs.php?id=17133
        Once fixed by adodb guys, we'll return to their official distro.
+ * drivers/adodb-mssql.inc.php, drivers/adodb-oci8.inc.php (qstr) and
+       adodb.inc.php (addq and qstr) - fixed wrong "undo magic quotes" that was
+       ignoring "magic_quotes_sybase" and leading to wrongly escaped contents. MDL-19452
+       Reported privately to John Lim, will be added to upstream soon. Once fixed
+       we'll return to their official distro.
 
 skodak, iarenaza, moodler, stronk7