#1709 addslashed replaced by pg_escape_string + pg_escape_string added before addObj

livesupport/src/modules/storageServer/var/BasicStor.php

@@ -90,7 +90,7 @@ class BasicStor extends Alib{
         $this->dbc->setErrorHandling(PEAR_ERROR_RETURN);
         $this->rootId = $this->getRootNode();
         $this->storId = $this->wd =
-            $this->getObjId('StorageRoot', $this->rootId);
+        $this->getObjId('StorageRoot', $this->rootId);
         $this->dbc->setErrorHandling();
     }
 
@@ -123,7 +123,7 @@ class BasicStor extends Alib{
     function bsPutFile($parid, $fileName, $mediaFileLP, $mdataFileLP,
         $gunid=NULL, $ftype='unKnown', $mdataLoc='file')
     {
-        $name   = addslashes("$fileName");
+        $name = $fileName;
         $ftype  = strtolower($ftype);
         $id = $this->addObj($name , $ftype, $parid);
         if($this->dbc->isError($id)) return $id;
@@ -357,7 +357,7 @@ class BasicStor extends Alib{
         if(!is_null($gunid)){
             $gunid = StoredFile::_normalizeGunid($gunid);
         }
-        foreach(array('ext', 'type') as $v) $$v = addslashes($$v);
+        foreach(array('ext', 'type') as $v) $$v = pg_escape_string($$v);
         $token  = StoredFile::_createGunid();
         if(!is_null($realFname)){
             $linkFname = "{$this->accessDir}/$token.$ext";
@@ -533,7 +533,7 @@ class BasicStor extends Alib{
         if(!is_null($gunid)){
             $gunid = StoredFile::_normalizeGunid($gunid);
         }
-        foreach(array('chsum') as $v) $$v = addslashes($$v);
+        foreach(array('chsum') as $v) $$v = pg_escape_string($$v);
         $ext    = '';
         $token  = StoredFile::_createGunid();
         $res    = $this->dbc->query("
@@ -1588,6 +1588,7 @@ class BasicStor extends Alib{
      */
     function addObj($name, $type, $parid=1, $aftid=NULL, $param='')
     {
+        $name   = pg_escape_string($name);
         $exid = $this->getObjId($name, $parid);
         if($this->dbc->isError($exid)) return $exid;
         //if(!is_null($exid)){ $this->removeObj($exid); }

livesupport/src/modules/storageServer/var/DataEngine.php

@@ -110,7 +110,7 @@ class DataEngine{
                 $splittedQn = XML_Util::splitQualifiedName($catQn);
                 $catNs  = $splittedQn['namespace'];
                 $cat    = $splittedQn['localPart'];
-                $opVal  = sprintf($ops[$op], addslashes($value));
+                $opVal  = sprintf($ops[$op], pg_escape_string($value));
                 // retype for timestamp value
                 if($cat == 'mtime'){
                     switch($op){

livesupport/src/modules/storageServer/var/MetaData.php

@@ -254,7 +254,7 @@ class MetaData{
         $r = $this->validateOneValue($parname, $category, $predxml, $value);
         if(PEAR::isError($r)) return $r;
         if(!is_null($value)){
-            foreach(array('value') as $v) $$v = addslashes($$v);
+            foreach(array('value') as $v) $$v = pg_escape_string($$v);
             $sql = "
                 UPDATE {$this->mdataTable}
                 SET object='$value', objns='_L'
@@ -635,7 +635,7 @@ class MetaData{
     function updateRecord($mdid, $object, $objns='_L')
     {
         foreach(array('objns', 'object') as $v){
-            ${$v."_sql"}  = (is_null($$v) ? "NULL" : "'".addslashes($$v)."'" );
+            ${$v."_sql"}  = (is_null($$v) ? "NULL" : "'".pg_escape_string($$v)."'" );
         }
         $res = $this->dbc->query("UPDATE {$this->mdataTable}
             SET objns  = $objns_sql,  object    = $object_sql
@@ -669,7 +669,7 @@ class MetaData{
         foreach(array(
             'subjns', 'subject', 'predns', 'predicate', 'objns', 'object',
         ) as $v){
-            ${$v."_sql"}  = (is_null($$v) ? "NULL" : "'".addslashes($$v)."'" );
+            ${$v."_sql"}  = (is_null($$v) ? "NULL" : "'".pg_escape_string($$v)."'" );
         }
         $id = $this->dbc->nextId("{$this->mdataTable}_id_seq");
         if(PEAR::isError($id)) return $id;

livesupport/src/modules/storageServer/var/StoredFile.php

@@ -88,7 +88,7 @@ class StoredFile{
         $mediaFileLP='', $metadata='', $mdataLoc='file',
         $gunid=NULL, $ftype=NULL, $className='StoredFile')
     {
-        foreach(array('name', 'ftype') as $v) $$v = addslashes($$v);
+        foreach(array('name', 'ftype') as $v) $$v = pg_escape_string($$v);
         $ac =& new $className($gb, ($gunid ? $gunid : NULL));
         if(PEAR::isError($ac)) return $ac;
         $ac->name = $name;
@@ -385,7 +385,7 @@ class StoredFile{
      */
     function rename($newname)
     {
-        foreach(array('newname') as $v) $$v = addslashes($$v);
+        foreach(array('newname') as $v) $$v = pg_escape_string($$v);
         $res = $this->dbc->query("
             UPDATE {$this->filesTable} SET name='$newname', mtime=now()
             WHERE gunid=x'{$this->gunid}'::bigint
@@ -404,7 +404,7 @@ class StoredFile{
      */
     function setState($state, $editedby=NULL)
     {
-        foreach(array('state') as $v) $$v = addslashes($$v);
+        foreach(array('state') as $v) $$v = pg_escape_string($$v);
         $eb = (!is_null($editedby) ? ", editedBy=$editedby" : '');
         $res = $this->dbc->query("
             UPDATE {$this->filesTable}
@@ -423,7 +423,7 @@ class StoredFile{
      */
     function setMime($mime)
     {
-        foreach(array('mime') as $v) $$v = addslashes($$v);
+        foreach(array('mime') as $v) $$v = pg_escape_string($$v);
         $res = $this->dbc->query("
             UPDATE {$this->filesTable} SET mime='$mime', mtime=now()
             WHERE gunid=x'{$this->gunid}'::bigint