Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 2abe492

Browse filesBrowse files
ratajsratajs
authored
Update ssql.php
Values in certain conditions should be saner, prevents SQL injection caused by encoding errors. https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
1 parent ec0275b commit 2abe492
Copy full SHA for 2abe492

File tree

Expand file treeCollapse file tree

1 file changed

+35
-16
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+35
-16
lines changed

‎ssql.php

Copy file name to clipboardExpand all lines: ssql.php
+35-16Lines changed: 35 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -670,21 +670,25 @@ private function getCondString($a, bool $and, bool $on = false) {
670670
unset($va[count($va-1)]);
671671
$col = true;
672672
};
673-
if(!is_numeric($v2))
674-
$v3 = $this->escape($v2);
675673
if(is_numeric($k))
676674
$r.= $v;
677675
else {
678676
$r.= "`{$this->escape($k)}`";
679-
$r.= " = ";
677+
$r.= $v===NULL ? " IS " : " = ";
680678
if(is_numeric($v3))
681679
$v3 = intval($v3);
682-
if($v3===NULL)
683-
$r.= "IS NULL";
684680
elseif(is_numeric($v3))
685681
$r.= $v;
682+
elseif($on || $col)
683+
$r.= "`" . $this->escape($v3) . "`";
684+
elseif($value===NULL)
685+
$r.= "NULL";
686+
elseif(preg_match("/^[\x{0020}-\x{007E}\x{00A0}-ſ]*$/", $v3) && !preg_match("/\x{0027}/", $esc = $this->escape($v3)))
687+
$r.= "'{$esc}'";
688+
elseif($this->SQLite)
689+
$r.= "x'" . bin2hex($v3) . "'";
686690
else
687-
$r.= ($on || $col) ? "`{$v3}`" : "'{$v3}'";
691+
$r.= "0x" . bin2hex($v3);
688692
};
689693
$r.= $and ? " AND " : " OR ";
690694
};
@@ -698,19 +702,25 @@ private function getCondString($a, bool $and, bool $on = false) {
698702
unset($va[count($va)]);
699703
$col = true;
700704
};
701-
if(!is_numeric($v))
702-
$v = $this->escape($v);
703705
if(is_numeric($k))
704706
$r.= $v;
705707
else {
706708
$r.= "`" . $this->escape($k) . "`";
707-
$r.= " = ";
709+
$r.= $v===NULL ? " IS " : " = ";
708710
if(is_numeric($v))
709711
$v = intval($v);
710712
if(is_numeric($v))
711713
$r.= $v;
714+
elseif($on || $col)
715+
$r.= "`" . $this->escape($v) . "`";
716+
elseif($v===NULL)
717+
$r.= "NULL";
718+
elseif(preg_match("/^[\x{0020}-\x{007E}\x{00A0}-ſ]*$/", $v) && !preg_match("/\x{0027}/", $esc = $this->escape($v)))
719+
$r.= "'{$esc}'";
720+
elseif($this->SQLite)
721+
$r.= "x'" . bin2hex($v) . "'";
712722
else
713-
$r.= ($on || $col) ? "`{$v}`" : "'{$v}'";
723+
$r.= "0x" . bin2hex($v);
714724
};
715725
$r.= $and ? " AND " : " OR ";
716726
};
@@ -917,17 +927,27 @@ public function __construct(SSQL $c, $cond = "") {
917927
$this->c = $c;
918928
$this->cond = $cond;
919929
}
930+
public function quote($v) {
931+
if(is_numeric($v))
932+
return $v;
933+
elseif($v===NULL)
934+
return "NULL";
935+
elseif(preg_match("/^[\x{0020}-\x{007E}\x{00A0}-ſ]*$/", $v) && !preg_match("/\x{0027}/", $esc = $this->c->escape($v)))
936+
return "'{$esc}'";
937+
elseif($this->c->SQLite)
938+
return "x'" . bin2hex($v) . "'";
939+
else
940+
return "0x" . bin2hex($v);
941+
}
920942
public function eq(string $k, $v, int $flags = 128) {
921943
$append = !empty($this->cond);
922944
$quotes = "'";
923-
if(is_int($v) || is_float($v)) {
945+
if(is_int($v) || is_float($v))
924946
$v = [$v];
925-
$quotes = "";
926-
};
927947
if(is_array($v) && count($v) < 1)
928948
return false;
929949
if(is_array($v))
930-
$this->cond = ($append ? ("({$this->cond}) " . ($flags & SQ::COND_OR ? "OR" : "AND") . " (") : "") . ((count($v) < 2) ? ("`" . $this->c->escape($k) . "` = " . $quotes . $this->c->escape($v[0]) . $quotes) : ("(`" . $this->c->escape($k) . "` = " . $quotes . $this->c->escape(array_shift($v)) . $quotes . ") OR (" . $this->c->cond()->eq($k, $v) . ")")) . ($append ? ")" : "");
950+
$this->cond = ($append ? ("({$this->cond}) " . ($flags & SQ::COND_OR ? "OR" : "AND") . " (") : "") . ((count($v) < 2) ? ("`" . $this->c->escape($k) . "` = " . $this->quote($v[0])) : ("(`" . $this->c->escape($k) . "` = " . $this->quote(array_shift($v)) . ") OR (" . $this->c->cond()->eq($k, $v) . ")")) . ($append ? ")" : "");
931951
else
932952
$this->cond = ($append ? ("({$this->cond}) " . ($flags & SQ::COND_OR ? "OR" : "AND") . " (") : "") . ("`" . $this->c->escape($k) . "` = `" . $this->c->escape($v) . "`") . ($append ? ")" : "");
933953
return $this;
@@ -1017,7 +1037,7 @@ public function in(string $k, array $v, int $flags = 128) {
10171037
return implode(", ", array_map(function($n2) {
10181038
if(is_int($n2) || is_float($n2))
10191039
return strval($n2);
1020-
return "'" . $this->c->escape($n2) . "'";
1040+
return $this->quote($n2);
10211041
}, $n));
10221042
return "`" . $this->c->escape($n) . "`";
10231043
}, $v);
@@ -1028,7 +1048,6 @@ public function begins(string $k, $v, int $flags = 128) {
10281048
$append = !empty($this->cond);
10291049
if(is_int($v) || is_float($v)) {
10301050
$v = [$v];
1031-
$quotes = "";
10321051
};
10331052
if(is_array($v) && count($v) < 1)
10341053
return false;

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.