[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fmsystem-commits] [15972] api: escaping values
From: |
sigurdne |
Subject: |
[Fmsystem-commits] [15972] api: escaping values |
Date: |
Wed, 9 Nov 2016 13:53:05 +0000 (UTC) |
Revision: 15972
http://svn.sv.gnu.org/viewvc/?view=rev&root=fmsystem&revision=15972
Author: sigurdne
Date: 2016-11-09 13:53:04 +0000 (Wed, 09 Nov 2016)
Log Message:
-----------
api: escaping values
Modified Paths:
--------------
trunk/phpgwapi/inc/class.db_adodb.inc.php
trunk/phpgwapi/inc/class.db_pdo.inc.php
trunk/phpgwapi/inc/class.phpgw.inc.php
Modified: trunk/phpgwapi/inc/class.db_adodb.inc.php
===================================================================
--- trunk/phpgwapi/inc/class.db_adodb.inc.php 2016-11-09 13:51:57 UTC (rev
15971)
+++ trunk/phpgwapi/inc/class.db_adodb.inc.php 2016-11-09 13:53:04 UTC (rev
15972)
@@ -628,7 +628,8 @@
{
if ($strip_slashes ||
($this->auto_stripslashes && ! $strip_slashes))
{
- return
htmlspecialchars_decode(stripslashes($this->resultSet->fields[$name]),ENT_QUOTES);
+ return
htmlspecialchars_decode(stripslashes(str_replace(array('&','(',
')', '=','−−',';'), array('&','(', ')', '=', '--',';'),
$this->resultSet->fields[$name])),ENT_QUOTES);
+// return
htmlspecialchars_decode(stripslashes($this->resultSet->fields[$name]),ENT_QUOTES);
}
else
{
Modified: trunk/phpgwapi/inc/class.db_pdo.inc.php
===================================================================
--- trunk/phpgwapi/inc/class.db_pdo.inc.php 2016-11-09 13:51:57 UTC (rev
15971)
+++ trunk/phpgwapi/inc/class.db_pdo.inc.php 2016-11-09 13:53:04 UTC (rev
15972)
@@ -831,7 +831,7 @@
{
if ($strip_slashes ||
($this->auto_stripslashes && ! $strip_slashes))
{
- return
htmlspecialchars_decode(stripslashes(str_replace(array('&;#40;',
'&;#41;'), array('(', ')'), $this->Record[$name])),ENT_QUOTES);
+ return
htmlspecialchars_decode(stripslashes(str_replace(array('&','(',
')', '=','−−',';'), array('&','(', ')', '=', '--',';'),
$this->Record[$name])),ENT_QUOTES);
// return
htmlspecialchars_decode(stripslashes($this->Record[$name]));
}
else
Modified: trunk/phpgwapi/inc/class.phpgw.inc.php
===================================================================
--- trunk/phpgwapi/inc/class.phpgw.inc.php 2016-11-09 13:51:57 UTC (rev
15971)
+++ trunk/phpgwapi/inc/class.phpgw.inc.php 2016-11-09 13:53:04 UTC (rev
15972)
@@ -463,8 +463,9 @@
case 'string':
default:
$value = filter_var($value,
FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
- $value =
htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
- $value =
str_replace(array(';','(', ')', '=', '--'),array(';','(', ')',
'=','−−'), $value); // prevent SQL-injection
+ $value =
htmlspecialchars($value, ENT_QUOTES, 'UTF-8', true);
+ // $value = htmlentities($value,
ENT_QUOTES, 'UTF-8', true);
+ $value = str_replace(array('(',
')', '=', '--',';'),array('(', ')', '=','−−',';'),
$value); // prevent SQL-injection
break;
case 'boolean':
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fmsystem-commits] [15972] api: escaping values,
sigurdne <=