From 6ae70cc8499499b5d77d77ec8974f95873edb861 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Tue, 19 Apr 2011 16:13:48 -0500 Subject: modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings) --- system/database/drivers/mysqli/mysqli_driver.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'system/database/drivers/mysqli/mysqli_driver.php') diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index ccdabce1a..1949acb6e 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -132,7 +132,22 @@ class CI_DB_mysqli_driver extends CI_DB { */ function _db_set_charset($charset, $collation) { - return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'"); + static $use_set_names; + + if ( ! isset($use_set_names)) + { + // mysqli_set_charset() requires MySQL >= 5.0.7, use SET NAMES as fallback + $use_set_names = (version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE; + } + + if ($use_set_names) + { + return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'"); + } + else + { + return @mysqli_set_charset($this->conn_id, $charset); + } } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From ee21a0eebfac7f3de810d9f8c4f8271944b336bf Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Fri, 22 Apr 2011 17:37:19 -0500 Subject: typo in modification to MySQLi driver. Fixes #236 --- system/database/drivers/mysqli/mysqli_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/database/drivers/mysqli/mysqli_driver.php') diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index 1949acb6e..b8586c21d 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -137,7 +137,7 @@ class CI_DB_mysqli_driver extends CI_DB { if ( ! isset($use_set_names)) { // mysqli_set_charset() requires MySQL >= 5.0.7, use SET NAMES as fallback - $use_set_names = (version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE; + $use_set_names = (version_compare(mysqli_get_server_info($this->conn_id), '5.0.7', '>=')) ? FALSE : TRUE; } if ($use_set_names) -- cgit v1.2.3-24-g4f1b From 114ab0988e20ac6be39ad363ff897a1a3b85e565 Mon Sep 17 00:00:00 2001 From: Razican Date: Mon, 25 Apr 2011 17:26:45 +0200 Subject: Fixed double-space typo. --- system/database/drivers/mysqli/mysqli_driver.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/database/drivers/mysqli/mysqli_driver.php') diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index b8586c21d..74f55c421 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -1,4 +1,4 @@ -= 5.0.7, use SET NAMES as fallback @@ -568,7 +568,7 @@ class CI_DB_mysqli_driver extends CI_DB { { return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES ".implode(', ', $values); } - + // -------------------------------------------------------------------- /** @@ -630,7 +630,7 @@ class CI_DB_mysqli_driver extends CI_DB { { if ($field != $index) { - $final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field]; + $final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field]; } } } -- cgit v1.2.3-24-g4f1b From 4b9c62980599228f070b401c7673dce8085b0c61 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Fri, 1 Jul 2011 17:40:48 -0500 Subject: backed out 648b42a75739, which was a NON-trivial whitespace commit. It broke the Typography class's string replacements, for instance --- system/database/drivers/mysqli/mysqli_driver.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/database/drivers/mysqli/mysqli_driver.php') diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index 74f55c421..b8586c21d 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -1,4 +1,4 @@ -= 5.0.7, use SET NAMES as fallback @@ -568,7 +568,7 @@ class CI_DB_mysqli_driver extends CI_DB { { return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES ".implode(', ', $values); } - + // -------------------------------------------------------------------- /** @@ -630,7 +630,7 @@ class CI_DB_mysqli_driver extends CI_DB { { if ($field != $index) { - $final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field]; + $final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field]; } } } -- cgit v1.2.3-24-g4f1b