- fix sql escaping for non-mysql db's (we forgot this one, or removed it accidently)

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@5356 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-08 04:18:52 +00:00 · 2005-12-19 18:01:36 +00:00 · 2005-12-19 18:01:36 +00:00 · 1a94e75c38
commit 1a94e75c38
parent 79e57f8a0c
2 changed files with 3 additions and 2 deletions
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -71,8 +71,9 @@ p,ul,td {font-size:10pt;}
 <li>[Fix] added session keys table to backup</li>
 <li>[Fix] changes to support MySQL 5.0</li>
 <li>[Fix] changes to some of the admin files to improve efficiency and remove a potential error condition when building the menu (cxib)</li>
-<li>[Fix] change truncation of username length in usercp_register.php (BFUK)
+<li>[Fix] change truncation of username length in usercp_register.php - BFUK</li>
 <li>[Fix] incorrect path to avatars in admin_users.php (Bug #667)</li>
+<li>[Fix] fixed get_userdata to support correct sql escaping (non-mysql dbs) - jarnaez</li>
 </ul>


--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -158,7 +158,7 @@ function get_userdata($user, $force_str = false)
 	$sql = "SELECT *
 		FROM " . USERS_TABLE . " 
 		WHERE ";
-	$sql .= ( ( is_integer($user) ) ? "user_id = $user" : "username = '" .  $user . "'" ) . " AND user_id <> " . ANONYMOUS;
+	$sql .= ( ( is_integer($user) ) ? "user_id = $user" : "username = '" .  str_replace("\'", "''", $user) . "'" ) . " AND user_id <> " . ANONYMOUS;
 	if ( !($result = $db->sql_query($sql)) )
 	{
 		message_die(GENERAL_ERROR, 'Tried obtaining data for a non-existent user', '', __LINE__, __FILE__, $sql);