diff --git a/htdocs/lib/admin.lib.php b/htdocs/lib/admin.lib.php index bc752c50925..68990b44030 100644 --- a/htdocs/lib/admin.lib.php +++ b/htdocs/lib/admin.lib.php @@ -346,7 +346,7 @@ function dolibarr_get_const($db, $name, $entity=1) $sql = "SELECT ".$db->decrypt('value')." as value"; $sql.= " FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE name = ".$db->encrypt($db->escape($name),1); + $sql.= " WHERE name = ".$db->encrypt($name,1); $sql.= " AND entity = ".$entity; dol_syslog("admin.lib::dolibarr_get_const sql=".$sql); @@ -391,7 +391,7 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE name = ".$db->encrypt($db->escape($name),1); + $sql.= " WHERE name = ".$db->encrypt($name,1); $sql.= " AND entity = ".$entity; dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG); @@ -401,11 +401,13 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not { $sql = "INSERT INTO llx_const(name,value,type,visible,note,entity)"; $sql.= " VALUES ("; - $sql.= $db->encrypt($db->escape($name),1); - $sql.= ", ".$db->encrypt($db->escape($value),1); + $sql.= $db->encrypt($name,1); + $sql.= ", ".$db->encrypt($value,1); $sql.= ",'".$type."',".$visible.",'".$db->escape($note)."',".$entity.")"; //print "sql".$value."-".pg_escape_string($value)."-".$sql;exit; + //print "xx".$db->escape($value); + //print $sql;exit; dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG); $resql=$db->query($sql); } diff --git a/htdocs/lib/databases/mssql.lib.php b/htdocs/lib/databases/mssql.lib.php index 7f464b640a5..04525727aef 100644 --- a/htdocs/lib/databases/mssql.lib.php +++ b/htdocs/lib/databases/mssql.lib.php @@ -690,10 +690,11 @@ class DoliDb } /** - * \brief Encrypt sensitive data in database - * \param fieldorvalue Field name or value to encrypt - * \param withQuotes Return string with quotes - * \return return XXX(field) or XXX('value') or field or 'value' + * Encrypt sensitive data in database + * Warning: This function includes the escape, so it must use direct value + * @param fieldorvalue Field name or value to encrypt + * @param withQuotes Return string with quotes + * @return return XXX(field) or XXX('value') or field or 'value' */ function encrypt($fieldorvalue, $withQuotes=0) { @@ -706,7 +707,7 @@ class DoliDb $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $return = $fieldorvalue; - return ($withQuotes?"'":"").$return.($withQuotes?"'":""); + return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":""); } /** diff --git a/htdocs/lib/databases/mysql.lib.php b/htdocs/lib/databases/mysql.lib.php index e85e94915a7..3f0b28f4c77 100644 --- a/htdocs/lib/databases/mysql.lib.php +++ b/htdocs/lib/databases/mysql.lib.php @@ -694,10 +694,11 @@ class DoliDb //--------------------------------------------------------------- /** - * \brief Encrypt sensitive data in database - * \param fieldorvalue Field name or value to encrypt - * \param withQuotes Return string with quotes - * \return return XXX(field) or XXX('value') or field or 'value' + * Encrypt sensitive data in database + * Warning: This function includes the escape, so it must use direct value + * @param fieldorvalue Field name or value to encrypt + * @param withQuotes Return string with quotes + * @return return XXX(field) or XXX('value') or field or 'value' */ function encrypt($fieldorvalue, $withQuotes=0) { @@ -709,7 +710,7 @@ class DoliDb //Encryption key $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); - $return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":""); + $return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":""); if ($cryptType && !empty($cryptKey)) { diff --git a/htdocs/lib/databases/mysqli.lib.php b/htdocs/lib/databases/mysqli.lib.php index 661e8dcc99e..4cfcb534e5b 100644 --- a/htdocs/lib/databases/mysqli.lib.php +++ b/htdocs/lib/databases/mysqli.lib.php @@ -703,10 +703,12 @@ class DoliDb } /** - * \brief Encrypt sensitive data in database - * \param fieldorvalue Field name or value to encrypt - * \param withQuotes Return string with quotes - * \return return XXX(field) or XXX('value') or field or 'value' + * Encrypt sensitive data in database + * Warning: This function includes the escape, so it must use direct value + * @param fieldorvalue Field name or value to encrypt + * @param withQuotes Return string with quotes + * @return return XXX(field) or XXX('value') or field or 'value' + * */ function encrypt($fieldorvalue, $withQuotes=0) { @@ -718,7 +720,7 @@ class DoliDb //Encryption key $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); - $return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":""); + $return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":""); if ($cryptType && !empty($cryptKey)) { diff --git a/htdocs/lib/databases/pgsql.lib.php b/htdocs/lib/databases/pgsql.lib.php index 9f783dda4fc..9ad226662fe 100644 --- a/htdocs/lib/databases/pgsql.lib.php +++ b/htdocs/lib/databases/pgsql.lib.php @@ -831,10 +831,11 @@ class DoliDb } /** - * \brief Encrypt sensitive data in database - * \param fieldorvalue Field name or value to encrypt - * \param withQuotes Return string with quotes - * \return return XXX(field) or XXX('value') or field or 'value' + * Encrypt sensitive data in database + * Warning: This function includes the escape, so it must use direct value + * @param fieldorvalue Field name or value to encrypt + * @param withQuotes Return string with quotes + * @return return XXX(field) or XXX('value') or field or 'value' */ function encrypt($fieldorvalue, $withQuotes=0) { @@ -847,7 +848,7 @@ class DoliDb $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $return = $fieldorvalue; - return ($withQuotes?"'":"").$return.($withQuotes?"'":""); + return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":""); }