Fix: Duplicate escaping when using encrypt

2010-09-01 22:45:10 +00:00
parent 439f5134ab
commit abd19f59ba
5 changed files with 31 additions and 24 deletions
--- a/htdocs/lib/databases/mysql.lib.php
+++ b/htdocs/lib/databases/mysql.lib.php
@@ -694,10 +694,11 @@ class DoliDb
 	//---------------------------------------------------------------

 	/**
-	 *	\brief          Encrypt sensitive data in database
-	 *	\param	        fieldorvalue	Field name or value to encrypt
-	 * 	\param			withQuotes		Return string with quotes
-	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
+     *  Encrypt sensitive data in database
+     *  Warning: This function includes the escape, so it must use direct value
+     *  @param          fieldorvalue    Field name or value to encrypt
+     *  @param          withQuotes      Return string with quotes
+     *  @return         return          XXX(field) or XXX('value') or field or 'value'
 	 */
 	function encrypt($fieldorvalue, $withQuotes=0)
 	{
@@ -709,7 +710,7 @@ class DoliDb
 		//Encryption key
 		$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');

-		$return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":"");
+		$return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":"");

 		if ($cryptType && !empty($cryptKey))
 		{