From 6ae70cc8499499b5d77d77ec8974f95873edb861 Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Tue, 19 Apr 2011 16:13:48 -0500
Subject: modified MySQL and MySQLi drivers to address a potential SQL
 injection attack vector when multi-byte character set connections are
 employed. (Does not impact Latin-1, UTF-8, etc. encodings)

---
 system/database/drivers/mysql/mysql_driver.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'system/database/drivers/mysql/mysql_driver.php')

diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php
index 4ff9b0a11..b7d547cc0 100644
--- a/system/database/drivers/mysql/mysql_driver.php
+++ b/system/database/drivers/mysql/mysql_driver.php
@@ -132,7 +132,22 @@ class CI_DB_mysql_driver extends CI_DB {
 	 */
 	function db_set_charset($charset, $collation)
 	{
-		return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id);
+		static $use_set_names;
+		
+		if ( ! isset($use_set_names))
+		{
+			// mysql_set_charset() requires PHP >= 5.2.3 and MySQL >= 5.0.7, use SET NAMES as fallback
+			$use_set_names = (version_compare(PHP_VERSION, '5.2.3', '>=') && version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE;
+		}
+
+		if ($use_set_names)
+		{
+			return @mysql_query("SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'", $this->conn_id);
+		}
+		else
+		{
+			return @mysql_set_charset($charset, $this->conn_id);
+		}
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 114ab0988e20ac6be39ad363ff897a1a3b85e565 Mon Sep 17 00:00:00 2001
From: Razican <devnull@localhost>
Date: Mon, 25 Apr 2011 17:26:45 +0200
Subject: Fixed double-space typo.

---
 system/database/drivers/mysql/mysql_driver.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'system/database/drivers/mysql/mysql_driver.php')

diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php
index b7d547cc0..dec15863f 100644
--- a/system/database/drivers/mysql/mysql_driver.php
+++ b/system/database/drivers/mysql/mysql_driver.php
@@ -1,4 +1,4 @@
-<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
 /**
  * CodeIgniter
  *
@@ -133,7 +133,7 @@ class CI_DB_mysql_driver extends CI_DB {
 	function db_set_charset($charset, $collation)
 	{
 		static $use_set_names;
-		
+
 		if ( ! isset($use_set_names))
 		{
 			// mysql_set_charset() requires PHP >= 5.2.3 and MySQL >= 5.0.7, use SET NAMES as fallback
@@ -302,12 +302,12 @@ class CI_DB_mysql_driver extends CI_DB {
 		if (is_array($str))
 		{
 			foreach ($str as $key => $val)
-	   		{
+	  		{
 				$str[$key] = $this->escape_str($val, $like);
-	   		}
+	  		}
 
-	   		return $str;
-	   	}
+	  		return $str;
+	  	}
 
 		if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id))
 		{
@@ -650,7 +650,7 @@ class CI_DB_mysql_driver extends CI_DB {
 			{
 				if ($field != $index)
 				{
-					$final[$field][] =  'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field];
+					$final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field];
 				}
 			}
 		}
-- 
cgit v1.2.3-24-g4f1b