summaryrefslogtreecommitdiffstats
path: root/system/database/drivers/mysqli
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2011-04-19 23:13:48 +0200
committerDerek Jones <derek.jones@ellislab.com>2011-04-19 23:13:48 +0200
commit6ae70cc8499499b5d77d77ec8974f95873edb861 (patch)
tree85b39e2ae9018e77f6fe8647b1004f91764001ce /system/database/drivers/mysqli
parent9ce4385cfc976e309ee12c53726abfd4f066ac3f (diff)
modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings)
Diffstat (limited to 'system/database/drivers/mysqli')
-rw-r--r--system/database/drivers/mysqli/mysqli_driver.php17
1 files changed, 16 insertions, 1 deletions
diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index ccdabce1a..1949acb6e 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php
@@ -132,7 +132,22 @@ class CI_DB_mysqli_driver extends CI_DB {
*/
function _db_set_charset($charset, $collation)
{
- return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+ static $use_set_names;
+
+ if ( ! isset($use_set_names))
+ {
+ // mysqli_set_charset() requires MySQL >= 5.0.7, use SET NAMES as fallback
+ $use_set_names = (version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE;
+ }
+
+ if ($use_set_names)
+ {
+ return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+ }
+ else
+ {
+ return @mysqli_set_charset($this->conn_id, $charset);
+ }
}
// --------------------------------------------------------------------