Disable hack to Database::escape_string() to avoid SQL injections - partial - refs #7440

11 years ago · 7d4d935372
parent 28baec78d2
commit 7d4d935372
1 changed files with 3 additions and 1 deletions
--- a/main/inc/lib/database.lib.php
+++ b/main/inc/lib/database.lib.php
@ -472,9 +472,11 @@ class Database
    {
        // Fixes security problem when there's no "" or '' between a variable.
        // See #7440 for more info
+        /*
        if ($addFix) {
            $string = "__@$string@__";
        }
+        */
        return get_magic_quotes_gpc()
            ? (self::use_default_connection($connection)
                ? mysql_real_escape_string(stripslashes($string))
@ -748,7 +750,7 @@ class Database
            $connection = null;
        }

-        $query = self::fixQuery($query);
+        //$query = self::fixQuery($query);

        // Check if the table contains a c_ (means a course id)
        if (api_get_setting('server_type') === 'test' && strpos($query, 'c_')) {