summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2011-04-19 23:13:48 +0200
committerDerek Jones <derek.jones@ellislab.com>2011-04-19 23:13:48 +0200
commit6ae70cc8499499b5d77d77ec8974f95873edb861 (patch)
tree85b39e2ae9018e77f6fe8647b1004f91764001ce /system
parent9ce4385cfc976e309ee12c53726abfd4f066ac3f (diff)
modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings)
Diffstat (limited to 'system')
-rw-r--r--system/database/drivers/mysql/mysql_driver.php17
-rw-r--r--system/database/drivers/mysqli/mysqli_driver.php17
2 files changed, 32 insertions, 2 deletions
diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php
index 4ff9b0a11..b7d547cc0 100644
--- a/system/database/drivers/mysql/mysql_driver.php
+++ b/system/database/drivers/mysql/mysql_driver.php
@@ -132,7 +132,22 @@ class CI_DB_mysql_driver extends CI_DB {
*/
function db_set_charset($charset, $collation)
{
- return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id);
+ static $use_set_names;
+
+ if ( ! isset($use_set_names))
+ {
+ // mysql_set_charset() requires PHP >= 5.2.3 and MySQL >= 5.0.7, use SET NAMES as fallback
+ $use_set_names = (version_compare(PHP_VERSION, '5.2.3', '>=') && version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE;
+ }
+
+ if ($use_set_names)
+ {
+ return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id);
+ }
+ else
+ {
+ return @mysql_set_charset($charset, $this->conn_id);
+ }
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index ccdabce1a..1949acb6e 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php
@@ -132,7 +132,22 @@ class CI_DB_mysqli_driver extends CI_DB {
*/
function _db_set_charset($charset, $collation)
{
- return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+ static $use_set_names;
+
+ if ( ! isset($use_set_names))
+ {
+ // mysqli_set_charset() requires MySQL >= 5.0.7, use SET NAMES as fallback
+ $use_set_names = (version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE;
+ }
+
+ if ($use_set_names)
+ {
+ return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+ }
+ else
+ {
+ return @mysqli_set_charset($this->conn_id, $charset);
+ }
}
// --------------------------------------------------------------------