Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

#1709 addslashed replaced by pg_escape_string + pg_escape_string added before addObj

This commit is contained in:
tomash 2006-09-15 06:09:02 +00:00
parent 6c562363bd
commit 67efd6686a
4 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
livesupport/src/modules/storageServer/var/BasicStor.php
View File

@ -90,7 +90,7 @@ class BasicStor extends Alib{
$this->dbc->setErrorHandling(PEAR_ERROR_RETURN); $this->dbc->setErrorHandling(PEAR_ERROR_RETURN);
$this->rootId = $this->getRootNode(); $this->rootId = $this->getRootNode();
$this->storId = $this->wd = $this->storId = $this->wd =
$this->getObjId('StorageRoot', $this->rootId); $this->getObjId('StorageRoot', $this->rootId);
$this->dbc->setErrorHandling(); $this->dbc->setErrorHandling();
} }
@ -123,7 +123,7 @@ class BasicStor extends Alib{
function bsPutFile($parid, $fileName, $mediaFileLP, $mdataFileLP, function bsPutFile($parid, $fileName, $mediaFileLP, $mdataFileLP,
$gunid=NULL, $ftype='unKnown', $mdataLoc='file') $gunid=NULL, $ftype='unKnown', $mdataLoc='file')
{ {
$name = addslashes("$fileName"); $name = $fileName;
$ftype = strtolower($ftype); $ftype = strtolower($ftype);
$id = $this->addObj($name , $ftype, $parid); $id = $this->addObj($name , $ftype, $parid);
if($this->dbc->isError($id)) return $id; if($this->dbc->isError($id)) return $id;
@ -357,7 +357,7 @@ class BasicStor extends Alib{
if(!is_null($gunid)){ if(!is_null($gunid)){
$gunid = StoredFile::_normalizeGunid($gunid); $gunid = StoredFile::_normalizeGunid($gunid);
} }
foreach(array('ext', 'type') as $v) $$v = addslashes($$v); foreach(array('ext', 'type') as $v) $$v = pg_escape_string($$v);
$token = StoredFile::_createGunid(); $token = StoredFile::_createGunid();
if(!is_null($realFname)){ if(!is_null($realFname)){
$linkFname = "{$this->accessDir}/$token.$ext"; $linkFname = "{$this->accessDir}/$token.$ext";
@ -533,7 +533,7 @@ class BasicStor extends Alib{
if(!is_null($gunid)){ if(!is_null($gunid)){
$gunid = StoredFile::_normalizeGunid($gunid); $gunid = StoredFile::_normalizeGunid($gunid);
} }
foreach(array('chsum') as $v) $$v = addslashes($$v); foreach(array('chsum') as $v) $$v = pg_escape_string($$v);
$ext = ''; $ext = '';
$token = StoredFile::_createGunid(); $token = StoredFile::_createGunid();
$res = $this->dbc->query(" $res = $this->dbc->query("
@ -1588,6 +1588,7 @@ class BasicStor extends Alib{
*/ */
function addObj($name, $type, $parid=1, $aftid=NULL, $param='') function addObj($name, $type, $parid=1, $aftid=NULL, $param='')
{ {
$name = pg_escape_string($name);
$exid = $this->getObjId($name, $parid); $exid = $this->getObjId($name, $parid);
if($this->dbc->isError($exid)) return $exid; if($this->dbc->isError($exid)) return $exid;
//if(!is_null($exid)){ $this->removeObj($exid); } //if(!is_null($exid)){ $this->removeObj($exid); }

2
livesupport/src/modules/storageServer/var/DataEngine.php
View File

@ -110,7 +110,7 @@ class DataEngine{
$splittedQn = XML_Util::splitQualifiedName($catQn); $splittedQn = XML_Util::splitQualifiedName($catQn);
$catNs = $splittedQn['namespace']; $catNs = $splittedQn['namespace'];
$cat = $splittedQn['localPart']; $cat = $splittedQn['localPart'];
$opVal = sprintf($ops[$op], addslashes($value)); $opVal = sprintf($ops[$op], pg_escape_string($value));
// retype for timestamp value // retype for timestamp value
if($cat == 'mtime'){ if($cat == 'mtime'){
switch($op){ switch($op){

6
livesupport/src/modules/storageServer/var/MetaData.php
View File

@ -254,7 +254,7 @@ class MetaData{
$r = $this->validateOneValue($parname, $category, $predxml, $value); $r = $this->validateOneValue($parname, $category, $predxml, $value);
if(PEAR::isError($r)) return $r; if(PEAR::isError($r)) return $r;
if(!is_null($value)){ if(!is_null($value)){
foreach(array('value') as $v) $$v = addslashes($$v); foreach(array('value') as $v) $$v = pg_escape_string($$v);
$sql = " $sql = "
UPDATE {$this->mdataTable} UPDATE {$this->mdataTable}
SET object='$value', objns='_L' SET object='$value', objns='_L'
@ -635,7 +635,7 @@ class MetaData{
function updateRecord($mdid, $object, $objns='_L') function updateRecord($mdid, $object, $objns='_L')
{ {
foreach(array('objns', 'object') as $v){ foreach(array('objns', 'object') as $v){
${$v."_sql"} = (is_null($$v) ? "NULL" : "'".addslashes($$v)."'" ); ${$v."_sql"} = (is_null($$v) ? "NULL" : "'".pg_escape_string($$v)."'" );
} }
$res = $this->dbc->query("UPDATE {$this->mdataTable} $res = $this->dbc->query("UPDATE {$this->mdataTable}
SET objns = $objns_sql, object = $object_sql SET objns = $objns_sql, object = $object_sql
@ -669,7 +669,7 @@ class MetaData{
foreach(array( foreach(array(
'subjns', 'subject', 'predns', 'predicate', 'objns', 'object', 'subjns', 'subject', 'predns', 'predicate', 'objns', 'object',
) as $v){ ) as $v){
${$v."_sql"} = (is_null($$v) ? "NULL" : "'".addslashes($$v)."'" ); ${$v."_sql"} = (is_null($$v) ? "NULL" : "'".pg_escape_string($$v)."'" );
} }
$id = $this->dbc->nextId("{$this->mdataTable}_id_seq"); $id = $this->dbc->nextId("{$this->mdataTable}_id_seq");
if(PEAR::isError($id)) return $id; if(PEAR::isError($id)) return $id;

8
livesupport/src/modules/storageServer/var/StoredFile.php
View File

@ -88,7 +88,7 @@ class StoredFile{
$mediaFileLP='', $metadata='', $mdataLoc='file', $mediaFileLP='', $metadata='', $mdataLoc='file',
$gunid=NULL, $ftype=NULL, $className='StoredFile') $gunid=NULL, $ftype=NULL, $className='StoredFile')
{ {
foreach(array('name', 'ftype') as $v) $$v = addslashes($$v); foreach(array('name', 'ftype') as $v) $$v = pg_escape_string($$v);
$ac =& new $className($gb, ($gunid ? $gunid : NULL)); $ac =& new $className($gb, ($gunid ? $gunid : NULL));
if(PEAR::isError($ac)) return $ac; if(PEAR::isError($ac)) return $ac;
$ac->name = $name; $ac->name = $name;
@ -385,7 +385,7 @@ class StoredFile{
*/ */
function rename($newname) function rename($newname)
{ {
foreach(array('newname') as $v) $$v = addslashes($$v); foreach(array('newname') as $v) $$v = pg_escape_string($$v);
$res = $this->dbc->query(" $res = $this->dbc->query("
UPDATE {$this->filesTable} SET name='$newname', mtime=now() UPDATE {$this->filesTable} SET name='$newname', mtime=now()
WHERE gunid=x'{$this->gunid}'::bigint WHERE gunid=x'{$this->gunid}'::bigint
@ -404,7 +404,7 @@ class StoredFile{
*/ */
function setState($state, $editedby=NULL) function setState($state, $editedby=NULL)
{ {
foreach(array('state') as $v) $$v = addslashes($$v); foreach(array('state') as $v) $$v = pg_escape_string($$v);
$eb = (!is_null($editedby) ? ", editedBy=$editedby" : ''); $eb = (!is_null($editedby) ? ", editedBy=$editedby" : '');
$res = $this->dbc->query(" $res = $this->dbc->query("
UPDATE {$this->filesTable} UPDATE {$this->filesTable}
@ -423,7 +423,7 @@ class StoredFile{
*/ */
function setMime($mime) function setMime($mime)
{ {
foreach(array('mime') as $v) $$v = addslashes($$v); foreach(array('mime') as $v) $$v = pg_escape_string($$v);
$res = $this->dbc->query(" $res = $this->dbc->query("
UPDATE {$this->filesTable} SET mime='$mime', mtime=now() UPDATE {$this->filesTable} SET mime='$mime', mtime=now()
WHERE gunid=x'{$this->gunid}'::bigint WHERE gunid=x'{$this->gunid}'::bigint