From 757dda61aa0556aca8172dc2a8175596afe28ce2 Mon Sep 17 00:00:00 2001
From: Greg Aker
Date: Wed, 14 Apr 2010 19:06:19 -0500
Subject: Fixing a bug where odbc/mssql/oci8 db drivers would encounter a PHP
error due to a function being moved from the input to security class.
Moving remove_invisible_characters() to Common.php so the entire class does not need to be instantiated in those database drivers.
---
system/core/Common.php | 37 +++++++++++++++++++++++
system/database/drivers/mssql/mssql_driver.php | 5 +--
system/database/drivers/oci8/oci8_driver.php | 5 +--
system/database/drivers/odbc/odbc_driver.php | 5 +--
system/libraries/Security.php | 42 ++------------------------
user_guide/changelog.html | 3 +-
user_guide/general/common_functions.html | 6 ++++
7 files changed, 50 insertions(+), 53 deletions(-)
diff --git a/system/core/Common.php b/system/core/Common.php
index 6e2f72509..9dee591e6 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -479,6 +479,43 @@
$_error->log_exception($severity, $message, $filepath, $line);
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Remove Invisible Characters
+ *
+ * This prevents sandwiching null characters
+ * between ascii characters, like Java\0script.
+ *
+ * @access public
+ * @param string
+ * @return string
+ */
+ function remove_invisible_characters($str)
+ {
+ static $non_displayables;
+
+ if ( ! isset($non_displayables))
+ {
+ // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
+ $non_displayables = array(
+ '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
+ '/%1[0-9a-f]/', // url encoded 16-31
+ '/[\x00-\x08]/', // 00-08
+ '/\x0b/', '/\x0c/', // 11, 12
+ '/[\x0e-\x1f]/' // 14-31
+ );
+ }
+
+ do
+ {
+ $cleaned = $str;
+ $str = preg_replace($non_displayables, '', $str);
+ }
+ while ($cleaned != $str);
+
+ return $str;
+ }
/* End of file Common.php */
diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 0c74726a2..40900e832 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -260,12 +260,9 @@ class CI_DB_mssql_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// Escape single quotes
- $str = str_replace("'", "''", $CI->input->_remove_invisible_characters($str));
+ $str = str_replace("'", "''", remove_invisible_characters($str));
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index cd0e09577..6f317d2e6 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -403,10 +403,7 @@ class CI_DB_oci8_driver extends CI_DB {
return $str;
}
- // Access the CI object
- $CI =& get_instance();
-
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index d5df8ef8c..6e682313f 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -271,12 +271,9 @@ class CI_DB_odbc_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// ODBC doesn't require escaping
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index 60adf0a27..cdae50168 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -198,7 +198,7 @@ class CI_Security {
/*
* Remove Invisible Characters
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Protect GET variables in URLs
@@ -258,7 +258,7 @@ class CI_Security {
/*
* Remove Invisible Characters Again!
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
@@ -480,44 +480,6 @@ class CI_Security {
// --------------------------------------------------------------------
- /**
- * Remove Invisible Characters
- *
- * This prevents sandwiching null characters
- * between ascii characters, like Java\0script.
- *
- * @access public
- * @param string
- * @return string
- */
- function _remove_invisible_characters($str)
- {
- static $non_displayables;
-
- if ( ! isset($non_displayables))
- {
- // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
- $non_displayables = array(
- '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
- '/%1[0-9a-f]/', // url encoded 16-31
- '/[\x00-\x08]/', // 00-08
- '/\x0b/', '/\x0c/', // 11, 12
- '/[\x0e-\x1f]/' // 14-31
- );
- }
-
- do
- {
- $cleaned = $str;
- $str = preg_replace($non_displayables, '', $str);
- }
- while ($cleaned != $str);
-
- return $str;
- }
-
- // --------------------------------------------------------------------
-
/**
* Compact Exploded Words
*
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 02cf6d06f..5e0f5ae05 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -133,7 +133,8 @@ Hg Tag:
Eliminated a call to is_really_writable() on each request unless it is really needed (Output caching)
Documented append_output() in the Output Class.
Documented a second argument in the decode() function for the Encryption Class.
- Documentd db->close().
+ Documented db->close().
+ Moved _remove_invisible_characters() function from the Security Library to common functions.
diff --git a/user_guide/general/common_functions.html b/user_guide/general/common_functions.html
index 196e3777e..0e68d1113 100644
--- a/user_guide/general/common_functions.html
+++ b/user_guide/general/common_functions.html
@@ -99,6 +99,12 @@ else
See here for a full list of headers.
+
+remove_invisible_characters($str)
+This function prevents inserting null characters between ascii characters, like Java\0script.
+
+
+
--
cgit v1.2.3-24-g4f1b