diff options
| -rw-r--r-- | system/core/Loader.php | 2 | ||||
| -rwxr-xr-x | system/core/Security.php | 39 | ||||
| -rw-r--r-- | system/database/DB_active_rec.php | 2 | ||||
| -rw-r--r-- | system/database/DB_driver.php | 22 | ||||
| -rw-r--r-- | system/database/DB_result.php | 6 | ||||
| -rw-r--r-- | system/database/drivers/oci8/oci8_result.php | 15 | ||||
| -rw-r--r-- | system/database/drivers/odbc/odbc_driver.php | 7 | ||||
| -rw-r--r-- | system/database/drivers/odbc/odbc_result.php | 71 | ||||
| -rw-r--r-- | system/database/drivers/postgre/postgre_driver.php | 10 | ||||
| -rw-r--r-- | system/libraries/Session.php | 10 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 8 | ||||
| -rw-r--r-- | user_guide_src/source/database/results.rst | 9 |
12 files changed, 137 insertions, 64 deletions
diff --git a/system/core/Loader.php b/system/core/Loader.php index 12daaa928..20cf7ef33 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -833,7 +833,7 @@ class CI_Loader { // If the PHP installation does not support short tags we'll // do a little string replacement, changing the short tags // to standard PHP echo statements. - if ((bool) @ini_get('short_open_tag') === FALSE AND config_item('rewrite_short_tags') == TRUE) + if ( ! is_php('5.4') && (bool) @ini_get('short_open_tag') === FALSE && config_item('rewrite_short_tags') == TRUE) { echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path)))); } diff --git a/system/core/Security.php b/system/core/Security.php index 1007f61f4..6f25fb5bb 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -25,8 +25,6 @@ * @filesource */ -// ------------------------------------------------------------------------ - /** * Security Class * @@ -106,23 +104,27 @@ class CI_Security { public function __construct() { - // CSRF config - foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) + // Is CSRF protection enabled? + if (config_item('csrf_protection') === TRUE) { - if (FALSE !== ($val = config_item($key))) + // CSRF config + foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) { - $this->{'_'.$key} = $val; + if (FALSE !== ($val = config_item($key))) + { + $this->{'_'.$key} = $val; + } } - } - // Append application specific cookie prefix - if (config_item('cookie_prefix')) - { - $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; - } + // Append application specific cookie prefix + if (config_item('cookie_prefix')) + { + $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; + } - // Set the CSRF hash - $this->_csrf_set_hash(); + // Set the CSRF hash + $this->_csrf_set_hash(); + } log_message('debug', 'Security Class Initialized'); } @@ -189,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off')) { return FALSE; } @@ -358,7 +360,7 @@ class CI_Security { foreach ($words as $word) { - $word = implode("\s*", str_split($word)) . "\s*"; + $word = implode('\s*', str_split($word)).'\s*'; // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" @@ -425,7 +427,6 @@ class CI_Security { '\\1\\2(\\3)', $str); - // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -601,7 +602,7 @@ class CI_Security { } // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -633,7 +634,7 @@ class CI_Security { { return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace // encode captured opening or closing brace to prevent recursive vectors: - . str_replace(array('>', '<'), array('>', '<'), $matches[4]); + .str_replace(array('>', '<'), array('>', '<'), $matches[4]); } // -------------------------------------------------------------------- diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php index eaae23f30..f648e5591 100644 --- a/system/database/DB_active_rec.php +++ b/system/database/DB_active_rec.php @@ -341,7 +341,7 @@ class CI_DB_active_record extends CI_DB_driver { $this->_track_aliases($table); // Strip apart the condition and protect the identifiers - if (preg_match('/([\w\.]+)([\W\s]+)(.+)/', $cond, $match)) + if (preg_match('/([\[\w\.]+)([\W\s]+)(.+)/', $cond, $match)) { $cond = $this->_protect_identifiers($match[1]).$match[2].$this->_protect_identifiers($match[3]); } diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index e403efb9f..a61450d4c 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -77,12 +77,6 @@ class CI_DB_driver { var $_protect_identifiers = TRUE; var $_reserved_identifiers = array('*'); // Identifiers that should NOT be escaped - // These are use with Oracle - var $stmt_id; - var $curs_id; - var $limit_used; - - /** * Constructor. Accepts one parameter containing the database * connection settings. @@ -396,21 +390,9 @@ class CI_DB_driver { } // Load and instantiate the result driver + $driver = $this->load_rdriver(); + $RES = new $driver($this); - $driver = $this->load_rdriver(); - $RES = new $driver(); - $RES->conn_id = $this->conn_id; - $RES->result_id = $this->result_id; - - if ($this->dbdriver == 'oci8') - { - $RES->stmt_id = $this->stmt_id; - $RES->curs_id = NULL; - $RES->limit_used = $this->limit_used; - $this->stmt_id = FALSE; - } - - // oci8 vars must be set before calling this $RES->num_rows = $RES->num_rows(); // Is query caching enabled? If so, we'll serialize the diff --git a/system/database/DB_result.php b/system/database/DB_result.php index 730443222..61aa56121 100644 --- a/system/database/DB_result.php +++ b/system/database/DB_result.php @@ -47,6 +47,12 @@ class CI_DB_result { public $num_rows = 0; public $row_data = NULL; + public function __construct(&$driver_object) + { + $this->conn_id = $driver_object->conn_id; + $this->result_id = $driver_object->result_id; + } + /** * Query result. Acts as a wrapper function for the following functions. * diff --git a/system/database/drivers/oci8/oci8_result.php b/system/database/drivers/oci8/oci8_result.php index 0f69fa9ef..383b9f1a0 100644 --- a/system/database/drivers/oci8/oci8_result.php +++ b/system/database/drivers/oci8/oci8_result.php @@ -38,9 +38,18 @@ */ class CI_DB_oci8_result extends CI_DB_result { - var $stmt_id; - var $curs_id; - var $limit_used; + public $stmt_id; + public $curs_id; + public $limit_used; + + public function __construct(&$driver_object) + { + parent::__construct($driver_object); + $this->stmt_id = $driver_object->stmt_id; + $this->curs_id = $driver_object->curs_id; + $this->limit_used = $driver_object->limit_used; + $driver_object->stmt_id = FALSE; + } /** * Number of rows in the result set. diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 779b0c62f..a6e08cf2f 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -287,12 +287,11 @@ class CI_DB_odbc_driver extends CI_DB { /** * Insert ID * - * @access public - * @return integer + * @return bool */ - function insert_id() + public function insert_id() { - return @odbc_insert_id($this->conn_id); + return ($this->db->db_debug) ? $this->db->display_error('db_unsuported_feature') : FALSE; } // -------------------------------------------------------------------- diff --git a/system/database/drivers/odbc/odbc_result.php b/system/database/drivers/odbc/odbc_result.php index 572e110ca..de2c58cb9 100644 --- a/system/database/drivers/odbc/odbc_result.php +++ b/system/database/drivers/odbc/odbc_result.php @@ -245,8 +245,77 @@ class CI_DB_odbc_result extends CI_DB_result { return $rs_assoc; } -} + // -------------------------------------------------------------------- + + /** + * Query result. Array version. + * + * @return array + */ + public function result_array() + { + if (count($this->result_array) > 0) + { + return $this->result_array; + } + elseif (($c = count($this->result_object)) > 0) + { + for ($i = 0; $i < $c; $i++) + { + $this->result_array[$i] = (array) $this->result_object[$i]; + } + } + elseif ($this->result_id === FALSE) + { + return array(); + } + else + { + while ($row = $this->_fetch_assoc()) + { + $this->result_array[] = $row; + } + } + return $this->result_array; + } + + // -------------------------------------------------------------------- + + /** + * Query result. Object version. + * + * @return array + */ + public function result_object() + { + if (count($this->result_object) > 0) + { + return $this->result_object; + } + elseif (($c = count($this->result_array)) > 0) + { + for ($i = 0; $i < $c; $i++) + { + $this->result_object[$i] = (object) $this->result_array[$i]; + } + } + elseif ($this->result_id === FALSE) + { + return array(); + } + else + { + while ($row = $this->_fetch_object()) + { + $this->result_object[] = $row; + } + } + + return $this->result_object; + } + +} /* End of file odbc_result.php */ /* Location: ./system/database/drivers/odbc/odbc_result.php */ diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php index df0f50da5..5b248e9bc 100644 --- a/system/database/drivers/postgre/postgre_driver.php +++ b/system/database/drivers/postgre/postgre_driver.php @@ -587,16 +587,10 @@ class CI_DB_postgre_driver extends CI_DB { $valstr[] = $key." = ".$val; } - $limit = ( ! $limit) ? '' : ' LIMIT '.$limit; - - $orderby = (count($orderby) >= 1)?' ORDER BY '.implode(", ", $orderby):''; - $sql = "UPDATE ".$table." SET ".implode(', ', $valstr); $sql .= ($where != '' AND count($where) >=1) ? " WHERE ".implode(" ", $where) : ''; - $sql .= $orderby.$limit; - return $sql; } @@ -647,9 +641,7 @@ class CI_DB_postgre_driver extends CI_DB { $conditions .= implode("\n", $like); } - $limit = ( ! $limit) ? '' : ' LIMIT '.$limit; - - return "DELETE FROM ".$table.$conditions.$limit; + return "DELETE FROM ".$table.$conditions; } // -------------------------------------------------------------------- diff --git a/system/libraries/Session.php b/system/libraries/Session.php index dd50a91e1..104b88810 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -454,7 +454,7 @@ class CI_Session { */ public function userdata($item) { - return ( ! isset($this->userdata[$item])) ? FALSE : $this->userdata[$item]; + return isset($this->userdata[$item]) ? $this->userdata[$item] : FALSE; } // -------------------------------------------------------------------- @@ -729,7 +729,7 @@ class CI_Session { */ protected function _unserialize($data) { - $data = @unserialize(strip_slashes($data)); + $data = @unserialize(strip_slashes(trim($data))); if (is_array($data)) { @@ -737,9 +737,11 @@ class CI_Session { return $data; } - return (is_string($data)) ? str_replace('{{slash}}', '\\', $data) : $data; + return is_string($data) ? str_replace('{{slash}}', '\\', $data) : $data; } + // -------------------------------------------------------------------- + /** * Unescape slashes * @@ -779,7 +781,7 @@ class CI_Session { { $expire = $this->now - $this->sess_expiration; - $this->CI->db->where("last_activity < {$expire}"); + $this->CI->db->where('last_activity < '.$expire); $this->CI->db->delete($this->sess_table_name); log_message('debug', 'Session garbage collection performed.'); diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 21675bd16..37016f832 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -62,6 +62,8 @@ Release Date: Not Released - pg_version() is now used to get the database version number, when possible. - Added db_set_charset() support. - Added _optimize_table() support for the :doc:`Database Utility Class <database/utilities>` (rebuilds table indexes). + - Added a constructor to the DB_result class and moved all driver-specific properties and logic out of the base DB_driver class to allow better abstraction. + - Removed limit() and order_by() support for UPDATE and DELETE queries in PostgreSQL driver. Postgres does not support those features. - Libraries @@ -93,6 +95,7 @@ Release Date: Not Released - Removed CI_CORE boolean constant from CodeIgniter.php (no longer Reactor and Core versions). - Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars(). - is_loaded() function from system/core/Commons.php now returns a reference. + - $config['rewrite_short_tags'] now has no effect when using PHP 5.4 as *<?=* will always be available. Bug fixes for 3.0 ------------------ @@ -137,6 +140,11 @@ Bug fixes for 3.0 - Fixed a bug (#1101) - MySQL/MySQLi result method field_data() was implemented as if it was handling a DESCRIBE result instead of the actual result set. - Fixed a bug in Oracle's :doc:`Database Forge Class <database/forge>` method _create_table() where it failed with AUTO_INCREMENT as it's not supported. - Fixed a bug (#1080) - When using the SMTP protocol, the :doc:`Email Library <libraries/email>` send() method was returning TRUE even if the connection/authentication against the server failed. +- Fixed a bug (#499) - a CSRF cookie was created even with CSRF protection being disabled. +- Fixed a bug (#306) - ODBC's insert_id() method was calling non-existent function odbc_insert_id(), which resulted in a fatal error. +- Fixed a bug in Oracle's DB_result class where the cursor id passed to it was always NULL. +- Fixed a bug (#64) - Regular expression in DB_active_rec.php failed to handle queries containing SQL bracket delimiters in the join condition. +- Fixed a bug in the :doc:`Session Library <libraries/sessions>` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right. Version 2.1.1 ============= diff --git a/user_guide_src/source/database/results.rst b/user_guide_src/source/database/results.rst index 4f93c794d..865345762 100644 --- a/user_guide_src/source/database/results.rst +++ b/user_guide_src/source/database/results.rst @@ -150,6 +150,12 @@ is the variable that the query result object is assigned to:: echo $query->num_rows(); +.. note:: + Not all database drivers have a native way of getting the total + number of rows for a result set. When this is the case, all of + the data is prefetched and count() is manually called on the + resulting array in order to achieve the same functionality. + $query->num_fields() ===================== @@ -182,5 +188,4 @@ Example:: $row = $query2->row(); echo $row->name; - $query2->free_result();// The $query2 result object will no longer be available - + $query2->free_result(); // The $query2 result object will no longer be available |