diff options
| author | Derek Jones <derek.jones@ellislab.com> | 2011-04-19 23:13:48 +0200 |
|---|---|---|
| committer | Derek Jones <derek.jones@ellislab.com> | 2011-04-19 23:13:48 +0200 |
| commit | 6ae70cc8499499b5d77d77ec8974f95873edb861 (patch) | |
| tree | 85b39e2ae9018e77f6fe8647b1004f91764001ce /system/database/drivers/mysql/mysql_driver.php | |
| parent | 9ce4385cfc976e309ee12c53726abfd4f066ac3f (diff) | |
modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings)
Diffstat (limited to 'system/database/drivers/mysql/mysql_driver.php')
| -rw-r--r-- | system/database/drivers/mysql/mysql_driver.php | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php index 4ff9b0a11..b7d547cc0 100644 --- a/system/database/drivers/mysql/mysql_driver.php +++ b/system/database/drivers/mysql/mysql_driver.php @@ -132,7 +132,22 @@ class CI_DB_mysql_driver extends CI_DB { */ function db_set_charset($charset, $collation) { - return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id); + static $use_set_names; + + if ( ! isset($use_set_names)) + { + // mysql_set_charset() requires PHP >= 5.2.3 and MySQL >= 5.0.7, use SET NAMES as fallback + $use_set_names = (version_compare(PHP_VERSION, '5.2.3', '>=') && version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE; + } + + if ($use_set_names) + { + return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id); + } + else + { + return @mysql_set_charset($charset, $this->conn_id); + } } // -------------------------------------------------------------------- |