Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-15 14:01:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Duplicate escaping when using encrypt

Browse Source
This commit is contained in:
Laurent Destailleur
2010-09-01 22:45:10 +00:00
parent 439f5134ab
commit abd19f59ba
5 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/lib/admin.lib.php
View File

@@ -346,7 +346,7 @@ function dolibarr_get_const($db, $name, $entity=1)
$sql = "SELECT ".$db->decrypt('value')." as value";
$sql.= " FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE name = ".$db->encrypt($db->escape($name),1);
$sql.= " WHERE name = ".$db->encrypt($name,1);
$sql.= " AND entity = ".$entity;
dol_syslog("admin.lib::dolibarr_get_const sql=".$sql);
@@ -391,7 +391,7 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE name = ".$db->encrypt($db->escape($name),1);
$sql.= " WHERE name = ".$db->encrypt($name,1);
$sql.= " AND entity = ".$entity;
dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
@@ -401,11 +401,13 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
{
$sql = "INSERT INTO llx_const(name,value,type,visible,note,entity)";
$sql.= " VALUES (";
$sql.= $db->encrypt($db->escape($name),1);
$sql.= ", ".$db->encrypt($db->escape($value),1);
$sql.= $db->encrypt($name,1);
$sql.= ", ".$db->encrypt($value,1);
$sql.= ",'".$type."',".$visible.",'".$db->escape($note)."',".$entity.")";
//print "sql".$value."-".pg_escape_string($value)."-".$sql;exit;
//print "xx".$db->escape($value);
//print $sql;exit;
dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
$resql=$db->query($sql);
}

11
htdocs/lib/databases/mssql.lib.php
View File

@@ -690,10 +690,11 @@ class DoliDb
}
/**
* \brief Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt
* \param withQuotes Return string with quotes
* \return return XXX(field) or XXX('value') or field or 'value'
* Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value
* @param fieldorvalue Field name or value to encrypt
* @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/
function encrypt($fieldorvalue, $withQuotes=0)
{
@@ -706,7 +707,7 @@ class DoliDb
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = $fieldorvalue;
return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":"");
}
/**

11
htdocs/lib/databases/mysql.lib.php
View File

@@ -694,10 +694,11 @@ class DoliDb
//---------------------------------------------------------------
/**
* \brief Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt
* \param withQuotes Return string with quotes
* \return return XXX(field) or XXX('value') or field or 'value'
* Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value
* @param fieldorvalue Field name or value to encrypt
* @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/
function encrypt($fieldorvalue, $withQuotes=0)
{
@@ -709,7 +710,7 @@ class DoliDb
//Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":"");
$return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":"");
if ($cryptType && !empty($cryptKey))
{

12
htdocs/lib/databases/mysqli.lib.php
View File

@@ -703,10 +703,12 @@ class DoliDb
}
/**
* \brief Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt
* \param withQuotes Return string with quotes
* \return return XXX(field) or XXX('value') or field or 'value'
* Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value
* @param fieldorvalue Field name or value to encrypt
* @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*
*/
function encrypt($fieldorvalue, $withQuotes=0)
{
@@ -718,7 +720,7 @@ class DoliDb
//Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = ($withQuotes?"'":"").addslashes($fieldorvalue).($withQuotes?"'":"");
$return = ($withQuotes?"'":"").$this->escape($fieldorvalue).($withQuotes?"'":"");
if ($cryptType && !empty($cryptKey))
{

11
htdocs/lib/databases/pgsql.lib.php
View File

@@ -831,10 +831,11 @@ class DoliDb
}
/**
* \brief Encrypt sensitive data in database
* \param fieldorvalue Field name or value to encrypt
* \param withQuotes Return string with quotes
* \return return XXX(field) or XXX('value') or field or 'value'
* Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value
* @param fieldorvalue Field name or value to encrypt
* @param withQuotes Return string with quotes
* @return return XXX(field) or XXX('value') or field or 'value'
*/
function encrypt($fieldorvalue, $withQuotes=0)
{
@@ -847,7 +848,7 @@ class DoliDb
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey)?$conf->db->dolibarr_main_db_cryptkey:'');
$return = $fieldorvalue;
return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
return ($withQuotes?"'":"").$this->escape($return).($withQuotes?"'":"");
}