#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
parent
52f95c981b
commit
89be29505b
|
@ -350,7 +350,7 @@ function db_rewrite_sql($query, $primary_table = 'n', $primary_field = 'nid', $
|
|||
}
|
||||
|
||||
/**
|
||||
* Restrict a dynamic tablename to safe characters.
|
||||
* Restrict a dynamic table, column or constraint name to safe characters.
|
||||
*
|
||||
* Only keeps alphanumeric and underscores.
|
||||
*/
|
||||
|
|
|
@ -346,14 +346,14 @@ function db_unlock_tables() {
|
|||
* Check if a table exists.
|
||||
*/
|
||||
function db_table_exists($table) {
|
||||
return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE;
|
||||
return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'"));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a column exists in the given table.
|
||||
*/
|
||||
function db_column_exists($table, $column) {
|
||||
return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE;
|
||||
return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'"));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -346,14 +346,14 @@ function db_unlock_tables() {
|
|||
* Check if a table exists.
|
||||
*/
|
||||
function db_table_exists($table) {
|
||||
return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE;
|
||||
return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'"));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a column exists in the given table.
|
||||
*/
|
||||
function db_column_exists($table, $column) {
|
||||
return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE;
|
||||
return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'"));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -228,7 +228,7 @@ function db_error() {
|
|||
* The name of the autoincrement field.
|
||||
*/
|
||||
function db_last_insert_id($table, $field) {
|
||||
return db_result(db_query("SELECT currval('%s_seq')", db_prefix_tables('{'. $table .'}') .'_'. $field));
|
||||
return db_result(db_query("SELECT CURRVAL('{". db_escape_table($table) ."}_". db_escape_table($field) ."_seq')"));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -384,14 +384,14 @@ function db_unlock_tables() {
|
|||
* Check if a table exists.
|
||||
*/
|
||||
function db_table_exists($table) {
|
||||
return db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
|
||||
return (bool) db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a column exists in the given table.
|
||||
*/
|
||||
function db_column_exists($table, $column) {
|
||||
return db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname='%s'", $column));
|
||||
return (bool) db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname = '". db_escape_table($column) ."'"));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -39,9 +39,14 @@ function tablesort_init($header) {
|
|||
function tablesort_sql($header, $before = '') {
|
||||
$ts = tablesort_init($header);
|
||||
if ($ts['sql']) {
|
||||
$sql = db_escape_string($ts['sql']);
|
||||
$sort = drupal_strtoupper(db_escape_string($ts['sort']));
|
||||
return " ORDER BY $before $sql $sort";
|
||||
// Based on code from db_escape_table(), but this can also contain a dot.
|
||||
$field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']);
|
||||
|
||||
// Sort order can only be ASC or DESC.
|
||||
$sort = drupal_strtoupper($ts['sort']);
|
||||
$sort = in_array($sort, array('ASC', 'DESC')) ? $sort : '';
|
||||
|
||||
return " ORDER BY $before $field $sort";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -206,7 +206,10 @@ function statistics_cron() {
|
|||
* or FALSE if the query could not be executed correctly.
|
||||
*/
|
||||
function statistics_title_list($dbfield, $dbrows) {
|
||||
return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE %s <> '0' AND n.status = 1 ORDER BY %s DESC"), 's.'. $dbfield, 's.'. $dbfield, 0, $dbrows);
|
||||
if (in_array($dbfield, array('totalcount', 'daycount', 'timestamp'))) {
|
||||
return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE s.". $dbfield ." != 0 AND n.status = 1 ORDER BY s.". $dbfield ." DESC"), 0, $dbrows);
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -1213,7 +1213,7 @@ function system_cron() {
|
|||
db_query('DELETE FROM {batch} WHERE timestamp < %d', time() - 864000);
|
||||
|
||||
// Remove temporary files that are older than DRUPAL_MAXIMUM_TEMP_FILE_AGE.
|
||||
$result = db_query('SELECT * FROM {files} WHERE status = %s and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE);
|
||||
$result = db_query('SELECT * FROM {files} WHERE status = %d and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE);
|
||||
while ($file = db_fetch_object($result)) {
|
||||
if (file_exists($file->filepath)) {
|
||||
// If files that exist cannot be deleted, continue so the database remains
|
||||
|
|
Loading…
Reference in New Issue