#1709 special character escaping improved

2006-06-29 11:30:50 +00:00 · 2006-06-29 11:30:50 +00:00 · 6355b97458
commit 6355b97458
parent 9f9bd0dfbf
2 changed files with 13 additions and 0 deletions
--- a/livesupport/src/modules/storageServer/var/BasicStor.php
+++ b/livesupport/src/modules/storageServer/var/BasicStor.php
@ -354,6 +354,10 @@ class BasicStor extends Alib{
    function bsAccess($realFname, $ext, $gunid, $type='access',
        $parent='0', $owner=NULL)
    {
+        if(!is_null($gunid)){
+            $gunid = StoredFile::_normalizeGunid($acc['gunid']);
+        }
+        foreach(array('ext', 'type') as $v) $$v = addslashes($$v);
        $token  = StoredFile::_createGunid();
        if(!is_null($realFname)){
            $linkFname = "{$this->accessDir}/$token.$ext";
@ -526,6 +530,10 @@ class BasicStor extends Alib{
     */
    function bsOpenPut($chsum, $gunid, $owner=NULL)
    {
+        if(!is_null($gunid)){
+            $gunid = StoredFile::_normalizeGunid($acc['gunid']);
+        }
+        foreach(array('chsum') as $v) $$v = addslashes($$v);
        $ext    = '';
        $token  = StoredFile::_createGunid();
        $res    = $this->dbc->query("
--- a/livesupport/src/modules/storageServer/var/StoredFile.php
+++ b/livesupport/src/modules/storageServer/var/StoredFile.php
@ -88,7 +88,9 @@ class StoredFile{
        $mediaFileLP='', $metadata='', $mdataLoc='file',
        $gunid=NULL, $ftype=NULL, $className='StoredFile')
    {
+        foreach(array('name', 'ftype') as $v) $$v = addslashes($$v);
        $ac =& new $className($gb, ($gunid ? $gunid : NULL));
+        if(PEAR::isError($ac)) return $ac;
        $ac->name = $name;
        $ac->id   = $oid;
        $ac->mime = "unKnown";
@ -383,6 +385,7 @@ class StoredFile{
     */
    function rename($newname)
    {
+        foreach(array('newname') as $v) $$v = addslashes($$v);
        $res = $this->dbc->query("
            UPDATE {$this->filesTable} SET name='$newname', mtime=now()
            WHERE gunid=x'{$this->gunid}'::bigint
@ -401,6 +404,7 @@ class StoredFile{
     */
    function setState($state, $editedby=NULL)
    {
+        foreach(array('state') as $v) $$v = addslashes($$v);
        $eb = (!is_null($editedby) ? ", editedBy=$editedby" : '');
        $res = $this->dbc->query("
            UPDATE {$this->filesTable}
@ -419,6 +423,7 @@ class StoredFile{
     */
    function setMime($mime)
    {
+        foreach(array('mime') as $v) $$v = addslashes($$v);
        $res = $this->dbc->query("
            UPDATE {$this->filesTable} SET mime='$mime', mtime=now()
            WHERE gunid=x'{$this->gunid}'::bigint