makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-10 05:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/15342] Escape strings in sql querys

Browse source 
PHPBB3-15342
This commit is contained in:
Rubén Calvo 2018-06-26 13:26:19 +02:00
parent 522ff2f792
commit bdf3a0c913
2 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/phpbb/storage/adapter/adapter_interface.php
View file

@ -99,7 +99,7 @@ interface adapter_interface
/* /*
* Get space available in bytes. * Get space available in bytes.
* *
* @throws \phpbb\storage\exception\exception When unable to retrieve available storage spac * @throws \phpbb\storage\exception\exception When unable to retrieve available storage space
* *
* @return int Returns available space * @return int Returns available space
*/ */

10
phpBB/phpbb/storage/storage.php
View file

@ -304,9 +304,9 @@ class storage
protected function track_rename($path_orig, $path_dest) protected function track_rename($path_orig, $path_dest)
{ {
$sql = 'UPDATE ' . $this->storage_table . " $sql = 'UPDATE ' . $this->storage_table . "
SET file_path = '" . $path_dest . "' SET file_path = '" . $this->db->sql_escape($path_dest) . "'
WHERE file_path = '" . $path_orig . "' WHERE file_path = '" . $this->db->sql_escape($path_orig) . "'
AND storage = '" . $this->storage_name . "'"; AND storage = '" . $this->db->sql_escape($this->get_name()) . "'";
$this->db->sql_query($sql); $this->db->sql_query($sql);
} }
@ -350,7 +350,7 @@ class storage
{ {
$sql = 'SELECT SUM(filesize) AS totalsize $sql = 'SELECT SUM(filesize) AS totalsize
FROM ' . $this->storage_table . " FROM ' . $this->storage_table . "
WHERE storage = '" . $this->get_name() . "'"; WHERE storage = '" . $this->db->sql_escape($this->get_name()) . "'";
$result = $this->db->sql_query($sql); $result = $this->db->sql_query($sql);
$total_size = (int) $this->db->sql_fetchfield('totalsize'); $total_size = (int) $this->db->sql_fetchfield('totalsize');
@ -375,7 +375,7 @@ class storage
{ {
$sql = 'SELECT COUNT(file_id) AS numfiles $sql = 'SELECT COUNT(file_id) AS numfiles
FROM ' . $this->storage_table . " FROM ' . $this->storage_table . "
WHERE storage = '" . $this->get_name() . "'"; WHERE storage = '" . $this->db->sql_escape($this->get_name()) . "'";
$result = $this->db->sql_query($sql); $result = $this->db->sql_query($sql);
$number_files = (int) $this->db->sql_fetchfield('numfiles'); $number_files = (int) $this->db->sql_fetchfield('numfiles');