Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-15 14:01:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Duplicate escaping when using encrypt

Browse Source
This commit is contained in:
Laurent Destailleur
2010-09-01 22:45:10 +00:00
parent 439f5134ab
commit abd19f59ba
5 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/lib/admin.lib.php
View File

@@ -346,7 +346,7 @@ function dolibarr_get_const($db, $name, $entity=1)
$sql = "SELECT ".$db->decrypt('value')." as value"; $sql = "SELECT ".$db->decrypt('value')." as value";
$sql.= " FROM ".MAIN_DB_PREFIX."const"; $sql.= " FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE name = ".$db->encrypt($db->escape($name),1); $sql.= " WHERE name = ".$db->encrypt($name,1);
$sql.= " AND entity = ".$entity; $sql.= " AND entity = ".$entity;
dol_syslog("admin.lib::dolibarr_get_const sql=".$sql); dol_syslog("admin.lib::dolibarr_get_const sql=".$sql);
@@ -391,7 +391,7 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
$db->begin(); $db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE name = ".$db->encrypt($db->escape($name),1); $sql.= " WHERE name = ".$db->encrypt($name,1);
$sql.= " AND entity = ".$entity; $sql.= " AND entity = ".$entity;
dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG); dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
@@ -401,11 +401,13 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
{ {
$sql = "INSERT INTO llx_const(name,value,type,visible,note,entity)"; $sql = "INSERT INTO llx_const(name,value,type,visible,note,entity)";
$sql.= " VALUES ("; $sql.= " VALUES (";
$sql.= $db->encrypt($db->escape($name),1); $sql.= $db->encrypt($name,1);
$sql.= ", ".$db->encrypt($db->escape($value),1); $sql.= ", ".$db->encrypt($value,1);
$sql.= ",'".$type."',".$visible.",'".$db->escape($note)."',".$entity.")"; $sql.= ",'".$type."',".$visible.",'".$db->escape($note)."',".$entity.")";
//print "sql".$value."-".pg_escape_string($value)."-".$sql;exit; //print "sql".$value."-".pg_escape_string($value)."-".$sql;exit;
//print "xx".$db->escape($value);
//print $sql;exit;
dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG); dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
$resql=$db->query($sql); $resql=$db->query($sql);
} }

11
htdocs/lib/databases/mssql.lib.php
View File

@@ -690,10 +690,11 @@ class DoliDb
} }
/** /**
* \brief Encrypt sensitive data in database * Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt * Warning: This function includes the escape, so it must use direct value
* \param withQuotes Return string with quotes * @param fieldorvalue Field name or value to encrypt
* \return return XXX(field) or XXX('value') or field or 'value' * @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/ */
function encrypt($fieldorvalue, $withQuotes=0) function encrypt($fieldorvalue, $withQuotes=0)
{ {
@@ -706,7 +707,7 @@ class DoliDb
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = $fieldorvalue; $return = $fieldorvalue;
return ($withQuotes?"'":"").$return.($withQuotes?"'":""); return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":"");
} }
/** /**

11
htdocs/lib/databases/mysql.lib.php
View File

@@ -694,10 +694,11 @@ class DoliDb
//--------------------------------------------------------------- //---------------------------------------------------------------
/** /**
* \brief Encrypt sensitive data in database * Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt * Warning: This function includes the escape, so it must use direct value
* \param withQuotes Return string with quotes * @param fieldorvalue Field name or value to encrypt
* \return return XXX(field) or XXX('value') or field or 'value' * @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/ */
function encrypt($fieldorvalue, $withQuotes=0) function encrypt($fieldorvalue, $withQuotes=0)
{ {
@@ -709,7 +710,7 @@ class DoliDb
//Encryption key //Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":""); $return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":"");
if ($cryptType && !empty($cryptKey)) if ($cryptType && !empty($cryptKey))
{ {

12
htdocs/lib/databases/mysqli.lib.php
View File

@@ -703,10 +703,12 @@ class DoliDb
} }
/** /**
* \brief Encrypt sensitive data in database * Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt * Warning: This function includes the escape, so it must use direct value
* \param withQuotes Return string with quotes * @param fieldorvalue Field name or value to encrypt
* \return return XXX(field) or XXX('value') or field or 'value' * @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*
*/ */
function encrypt($fieldorvalue, $withQuotes=0) function encrypt($fieldorvalue, $withQuotes=0)
{ {
@@ -718,7 +720,7 @@ class DoliDb
//Encryption key //Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":""); $return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":"");
if ($cryptType && !empty($cryptKey)) if ($cryptType && !empty($cryptKey))
{ {

11
htdocs/lib/databases/pgsql.lib.php
View File

@@ -831,10 +831,11 @@ class DoliDb
} }
/** /**
* \brief Encrypt sensitive data in database * Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt * Warning: This function includes the escape, so it must use direct value
* \param withQuotes Return string with quotes * @param fieldorvalue Field name or value to encrypt
* \return return XXX(field) or XXX('value') or field or 'value' * @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/ */
function encrypt($fieldorvalue, $withQuotes=0) function encrypt($fieldorvalue, $withQuotes=0)
{ {
@@ -847,7 +848,7 @@ class DoliDb
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = $fieldorvalue; $return = $fieldorvalue;
return ($withQuotes?"'":"").$return.($withQuotes?"'":""); return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":"");
} }