Add rcube_db::escape() method, fix escapeSimple() to use escape instead of quote()

11 years ago · 51f52b525b
parent 7af32a95bb
commit 51f52b525b
2 changed files with 25 additions and 9 deletions
--- a/plugins/virtuser_query/virtuser_query.php
+++ b/plugins/virtuser_query/virtuser_query.php
@ -55,7 +55,7 @@ class virtuser_query extends rcube_plugin
    {
        $dbh = $this->app->get_dbh();

-        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['email']));
+        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['email']));

        while ($sql_arr = $dbh->fetch_array($sql_result)) {
            if (strpos($sql_arr[0], '@')) {
@ -92,7 +92,7 @@ class virtuser_query extends rcube_plugin
    {
        $dbh = $this->app->get_dbh();

-        $sql_result = $dbh->query(preg_replace('/%m/', $dbh->quote($p['email']), $this->config['user']));
+        $sql_result = $dbh->query(preg_replace('/%m/', $dbh->escape($p['email']), $this->config['user']));

        if ($sql_arr = $dbh->fetch_array($sql_result)) {
            $p['user'] = $sql_arr[0];
@ -108,7 +108,7 @@ class virtuser_query extends rcube_plugin
    {
        $dbh = $this->app->get_dbh();

-        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['host']));
+        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['host']));

        if ($sql_arr = $dbh->fetch_array($sql_result)) {
            $p['host'] = $sql_arr[0];
--- a/program/lib/Roundcube/rcube_db.php
+++ b/program/lib/Roundcube/rcube_db.php
@ -633,6 +633,22 @@ class rcube_db
        return 'NULL';
    }

+    /**
+     * Escapes a string so it can be safely used in a query
+     *
+     * @param string $str A string to escape
+     *
+     * @return string Escaped string for use in a query
+     */
+    public function escape($str)
+    {
+        if (is_null($str)) {
+            return 'NULL';
+        }
+
+        return substr($this->quote($str), 1, -1);
+    }
+
    /**
     * Quotes a string so it can be safely used as a table or column name
     *
@ -648,17 +664,17 @@ class rcube_db
    }

    /**
-     * Quotes a string so it can be safely used as a table or column name
+     * Escapes a string so it can be safely used in a query
     *
-     * @param string $str Value to quote
+     * @param string $str A string to escape
     *
-     * @return string Quoted string for use in query
-     * @deprecated    Replaced by rcube_db::quote
-     * @see           rcube_db::quote
+     * @return string Escaped string for use in a query
+     * @deprecated    Replaced by rcube_db::escape
+     * @see           rcube_db::escape
     */
    public function escapeSimple($str)
    {
-        return $this->quote($str);
+        return $this->escape($str);
    }

    /**