makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Remove NUL-Bytes directly in request_var() for strings and within the custom DBAL sql_escape() functions (MSSQL, Firebird, Oracle) (reported by AdhostMikeSw)

Browse source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8967 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen 2008-10-02 12:04:12 +00:00
parent ed4797bb4e
commit 2c1d80c75a
6 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
phpBB/docs/CHANGELOG.html
View file

@ -147,6 +147,7 @@
<li>[Change] MCP topic view checkboxes now default to unchecked.</li> <li>[Change] MCP topic view checkboxes now default to unchecked.</li>
<li>[Change] Adjust language key <em>SPLIT_AFTER</em> to make the action clearer.</li> <li>[Change] Adjust language key <em>SPLIT_AFTER</em> to make the action clearer.</li>
<li>[Change] Add links to the post and forum when viewing a report from the MCP. (Bugs #33795, #33805)</li> <li>[Change] Add links to the post and forum when viewing a report from the MCP. (Bugs #33795, #33805)</li>
<li>[Change] Remove NUL-Bytes directly in request_var() for strings and within the custom DBAL sql_escape() functions (MSSQL, Firebird, Oracle) (reported by AdhostMikeSw)</li>
<li>[Feature] Allow limited inheritance for template sets.</li> <li>[Feature] Allow limited inheritance for template sets.</li>
<li>[Feature] Allow hard disabling of the template editor.</li> <li>[Feature] Allow hard disabling of the template editor.</li>

2
phpBB/includes/db/firebird.php
View file

@ -425,7 +425,7 @@ class dbal_firebird extends dbal
*/ */
function sql_escape($msg) function sql_escape($msg)
{ {
return str_replace("'", "''", $msg); return str_replace(array("'", "\0"), array("''", ''), $msg);
} }
/** /**

2
phpBB/includes/db/mssql.php
View file

@ -328,7 +328,7 @@ class dbal_mssql extends dbal
*/ */
function sql_escape($msg) function sql_escape($msg)
{ {
return str_replace("'", "''", $msg); return str_replace(array("'", "\0"), array("''", ''), $msg);
} }
/** /**

2
phpBB/includes/db/mssql_odbc.php
View file

@ -349,7 +349,7 @@ class dbal_mssql_odbc extends dbal
*/ */
function sql_escape($msg) function sql_escape($msg)
{ {
return str_replace("'", "''", $msg); return str_replace(array("'", "\0"), array("''", ''), $msg);
} }
/** /**

2
phpBB/includes/db/oracle.php
View file

@ -551,7 +551,7 @@ class dbal_oracle extends dbal
*/ */
function sql_escape($msg) function sql_escape($msg)
{ {
return str_replace("'", "''", $msg); return str_replace(array("'", "\0"), array("''", ''), $msg);
} }
/** /**

2
phpBB/includes/functions.php
View file

@ -32,7 +32,7 @@ function set_var(&$result, $var, $type, $multibyte = false)
if ($type == 'string') if ($type == 'string')
{ {
$result = trim(htmlspecialchars(str_replace(array("\r\n", "\r"), array("\n", "\n"), $result), ENT_COMPAT, 'UTF-8')); $result = trim(htmlspecialchars(str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result), ENT_COMPAT, 'UTF-8'));
if (!empty($result)) if (!empty($result))
{ {