From 6355b974586d8ae157bbed167be93cee47009bc7 Mon Sep 17 00:00:00 2001
From: tomash <tomash@cfc7b370-4200-0410-a6e3-cb6bdb053afe>
Date: Thu, 29 Jun 2006 11:30:50 +0000
Subject: [PATCH] #1709 special character escaping improved

---
 livesupport/src/modules/storageServer/var/BasicStor.php  | 8 ++++++++
 livesupport/src/modules/storageServer/var/StoredFile.php | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/livesupport/src/modules/storageServer/var/BasicStor.php b/livesupport/src/modules/storageServer/var/BasicStor.php
index 72b549350..d88db900c 100644
--- a/livesupport/src/modules/storageServer/var/BasicStor.php
+++ b/livesupport/src/modules/storageServer/var/BasicStor.php
@@ -354,6 +354,10 @@ class BasicStor extends Alib{
     function bsAccess($realFname, $ext, $gunid, $type='access',
         $parent='0', $owner=NULL)
     {
+        if(!is_null($gunid)){
+            $gunid = StoredFile::_normalizeGunid($acc['gunid']);
+        }
+        foreach(array('ext', 'type') as $v) $$v = addslashes($$v);
         $token  = StoredFile::_createGunid();
         if(!is_null($realFname)){
             $linkFname = "{$this->accessDir}/$token.$ext";
@@ -526,6 +530,10 @@ class BasicStor extends Alib{
      */
     function bsOpenPut($chsum, $gunid, $owner=NULL)
     {
+        if(!is_null($gunid)){
+            $gunid = StoredFile::_normalizeGunid($acc['gunid']);
+        }
+        foreach(array('chsum') as $v) $$v = addslashes($$v);
         $ext    = '';
         $token  = StoredFile::_createGunid();
         $res    = $this->dbc->query("
diff --git a/livesupport/src/modules/storageServer/var/StoredFile.php b/livesupport/src/modules/storageServer/var/StoredFile.php
index 4cbb657f4..2f8a7cdbb 100644
--- a/livesupport/src/modules/storageServer/var/StoredFile.php
+++ b/livesupport/src/modules/storageServer/var/StoredFile.php
@@ -88,7 +88,9 @@ class StoredFile{
         $mediaFileLP='', $metadata='', $mdataLoc='file',
         $gunid=NULL, $ftype=NULL, $className='StoredFile')
     {
+        foreach(array('name', 'ftype') as $v) $$v = addslashes($$v);
         $ac =& new $className($gb, ($gunid ? $gunid : NULL));
+        if(PEAR::isError($ac)) return $ac;
         $ac->name = $name;
         $ac->id   = $oid;
         $ac->mime = "unKnown";
@@ -383,6 +385,7 @@ class StoredFile{
      */
     function rename($newname)
     {
+        foreach(array('newname') as $v) $$v = addslashes($$v);
         $res = $this->dbc->query("
             UPDATE {$this->filesTable} SET name='$newname', mtime=now()
             WHERE gunid=x'{$this->gunid}'::bigint
@@ -401,6 +404,7 @@ class StoredFile{
      */
     function setState($state, $editedby=NULL)
     {
+        foreach(array('state') as $v) $$v = addslashes($$v);
         $eb = (!is_null($editedby) ? ", editedBy=$editedby" : '');
         $res = $this->dbc->query("
             UPDATE {$this->filesTable}
@@ -419,6 +423,7 @@ class StoredFile{
      */
     function setMime($mime)
     {
+        foreach(array('mime') as $v) $$v = addslashes($$v);
         $res = $this->dbc->query("
             UPDATE {$this->filesTable} SET mime='$mime', mtime=now()
             WHERE gunid=x'{$this->gunid}'::bigint