From d16bab12339fe2746e1ead72ba96351c3423c27c Mon Sep 17 00:00:00 2001
From: Derek Jones
Date: Wed, 24 Sep 2008 18:22:03 +0000
Subject: added removal of non-printing characters to escape_str() of drivers
that do not have native PHP escaping mechanisms
---
system/database/drivers/mssql/mssql_driver.php | 2 +-
system/database/drivers/oci8/oci8_driver.php | 2 +-
system/database/drivers/odbc/odbc_driver.php | 2 +-
user_guide/changelog.html | 6 ++++++
4 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 98c03c56e..5ac90b451 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -214,7 +214,7 @@ class CI_DB_mssql_driver extends CI_DB {
function escape_str($str)
{
// Escape single quotes
- return str_replace("'", "''", $str);
+ return str_replace("'", "''", $this->input->_remove_invisible_characters($str));
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index d6bc512be..765c3f6c9 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -366,7 +366,7 @@ class CI_DB_oci8_driver extends CI_DB {
*/
function escape_str($str)
{
- return $str;
+ return $this->input->_remove_invisible_characters($str);
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index 647171696..f89000d83 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -235,7 +235,7 @@ class CI_DB_odbc_driver extends CI_DB {
function escape_str($str)
{
// ODBC doesn't require escaping
- return $str;
+ return $this->input->_remove_invisible_characters($str);
}
// --------------------------------------------------------------------
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index bad3d089e..94e41a893 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -74,6 +74,12 @@ SVN Revision: XXXX
Changed the output of the profiler to use style attribute rather than clear, and added the id "codeigniter_profiler" to the container div
+ Database
+
+ - Added removal of non-printing control characters in escape_str() of DB drivers that do not have native PHP escaping mechanisms (mssql, oci8, odbc), to avoid
+ potential SQL errors, and possible sources of SQL injection.
+
+
Helpers
- Added several new "setting" functions to the Form helper that allow POST data to be retrieved and set into forms. These are intended to be used on their own, or with the new Form Validation Class.
--
cgit v1.2.3-24-g4f1b