[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fmsystem-commits] [13775] more on preventing sql injection
From: |
Sigurd Nes |
Subject: |
[Fmsystem-commits] [13775] more on preventing sql injection |
Date: |
Tue, 25 Aug 2015 20:14:55 +0000 |
Revision: 13775
http://svn.sv.gnu.org/viewvc/?view=rev&root=fmsystem&revision=13775
Author: sigurdne
Date: 2015-08-25 20:14:54 +0000 (Tue, 25 Aug 2015)
Log Message:
-----------
more on preventing sql injection
Modified Paths:
--------------
trunk/phpgwapi/inc/class.db_pdo.inc.php
Modified: trunk/phpgwapi/inc/class.db_pdo.inc.php
===================================================================
--- trunk/phpgwapi/inc/class.db_pdo.inc.php 2015-08-25 13:29:40 UTC (rev
13774)
+++ trunk/phpgwapi/inc/class.db_pdo.inc.php 2015-08-25 20:14:54 UTC (rev
13775)
@@ -359,13 +359,11 @@
{
$this->connect();
}
-
- if(!$exec)
+ $fetch = true;
+ if(preg_match('/(^INSERT INTO|^DELETE
FROM|^CREATE|^DROP|^ALTER|^UPDATE)/i', $sql)) // need it for MySQL and Oracle
{
- if(preg_match('/(^INSERT INTO|^DELETE
FROM|^CREATE|^DROP|^ALTER|^UPDATE)/i', $sql)) // need it for MySQL and Oracle
- {
- $exec = true;
- }
+// $exec = true; //ignored
+ $fetch = false;
}
try
@@ -380,24 +378,28 @@
*/
{
$statement_object =
$this->db->query($sql);
+ if($fetch)
+ {
/*
- $num_rows =
$this->statement_object->rowCount();
- if($num_rows > 200)
- {
- $fetch_single = true;
- $this->fetch_single =
$fetch_single;
- }
+ $num_rows =
$this->statement_object->rowCount();
+ if($num_rows > 200)
+ {
+ $fetch_single = true;
+ $this->fetch_single =
$fetch_single;
+ }
*/
- if($fetch_single)
- {
- $this->resultSet =
$statement_object->fetch($this->pdo_fetchmode);
- $this->statement_object =
$statement_object;
- unset($statement_object);
+
+ if($fetch_single)
+ {
+ $this->resultSet =
$statement_object->fetch($this->pdo_fetchmode);
+ $this->statement_object
= $statement_object;
+
unset($statement_object);
+ }
+ else
+ {
+ $this->resultSet =
$statement_object->fetchAll($this->pdo_fetchmode);
+ }
}
- else
- {
- $this->resultSet =
$statement_object->fetchAll($this->pdo_fetchmode);
- }
}
}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fmsystem-commits] [13775] more on preventing sql injection,
Sigurd Nes <=