chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove excessive SQL quotes filtering adding risk to queries (done better) - refs BT#13285

Browse Source
pull/2487/head
Yannick Warnier 8 years ago
parent 63438e70ce
commit 4ffe5edb44
1 changed files with 6 additions and 2 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      main/inc/lib/database.lib.php

8
main/inc/lib/database.lib.php
Unescape View File

@ -248,8 +248,12 @@ class Database
public static function escape_string($string)
{
$string = self::getManager()->getConnection()->quote($string);
return trim($string, "'");
// The quote method from PDO also adds quotes around the string, which
// is not how the legacy mysql_real_escape_string() was used in
// Chamilo, so we need to remove the quotes around. Using trim will
// remove more than one quote if they are sequenced, generating
// broken queries and SQL injection risks
return substr($string, 1, -1);
}
/**

Write Preview
Loading…
Cancel
Save