From 51f52b525bc3b10b8008d916353f3034a9081cee Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 17 Apr 2013 19:33:42 +0200 Subject: [PATCH] Add rcube_db::escape() method, fix escapeSimple() to use escape instead of quote() --- plugins/virtuser_query/virtuser_query.php | 6 ++--- program/lib/Roundcube/rcube_db.php | 28 ++++++++++++++++++----- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/plugins/virtuser_query/virtuser_query.php b/plugins/virtuser_query/virtuser_query.php index 6eb7ad647..a4c83265e 100644 --- a/plugins/virtuser_query/virtuser_query.php +++ b/plugins/virtuser_query/virtuser_query.php @@ -55,7 +55,7 @@ class virtuser_query extends rcube_plugin { $dbh = $this->app->get_dbh(); - $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['email'])); + $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['email'])); while ($sql_arr = $dbh->fetch_array($sql_result)) { if (strpos($sql_arr[0], '@')) { @@ -92,7 +92,7 @@ class virtuser_query extends rcube_plugin { $dbh = $this->app->get_dbh(); - $sql_result = $dbh->query(preg_replace('/%m/', $dbh->quote($p['email']), $this->config['user'])); + $sql_result = $dbh->query(preg_replace('/%m/', $dbh->escape($p['email']), $this->config['user'])); if ($sql_arr = $dbh->fetch_array($sql_result)) { $p['user'] = $sql_arr[0]; @@ -108,7 +108,7 @@ class virtuser_query extends rcube_plugin { $dbh = $this->app->get_dbh(); - $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['host'])); + $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['host'])); if ($sql_arr = $dbh->fetch_array($sql_result)) { $p['host'] = $sql_arr[0]; diff --git a/program/lib/Roundcube/rcube_db.php b/program/lib/Roundcube/rcube_db.php index 9104a85d8..62ece1ba5 100644 --- a/program/lib/Roundcube/rcube_db.php +++ b/program/lib/Roundcube/rcube_db.php @@ -633,6 +633,22 @@ class rcube_db return 'NULL'; } + /** + * Escapes a string so it can be safely used in a query + * + * @param string $str A string to escape + * + * @return string Escaped string for use in a query + */ + public function escape($str) + { + if (is_null($str)) { + return 'NULL'; + } + + return substr($this->quote($str), 1, -1); + } + /** * Quotes a string so it can be safely used as a table or column name * @@ -648,17 +664,17 @@ class rcube_db } /** - * Quotes a string so it can be safely used as a table or column name + * Escapes a string so it can be safely used in a query * - * @param string $str Value to quote + * @param string $str A string to escape * - * @return string Quoted string for use in query - * @deprecated Replaced by rcube_db::quote - * @see rcube_db::quote + * @return string Escaped string for use in a query + * @deprecated Replaced by rcube_db::escape + * @see rcube_db::escape */ public function escapeSimple($str) { - return $this->quote($str); + return $this->escape($str); } /**