[Fmsystem-commits] [13775] more on preventing sql injection

[Sigurd Nes]

Revision: 13775
          http://svn.sv.gnu.org/viewvc/?view=rev&root=fmsystem&revision=13775
Author:   sigurdne
Date:     2015-08-25 20:14:54 +0000 (Tue, 25 Aug 2015)
Log Message:
-----------
more on preventing sql injection

Modified Paths:
--------------
    trunk/phpgwapi/inc/class.db_pdo.inc.php

Modified: trunk/phpgwapi/inc/class.db_pdo.inc.php
===================================================================
--- trunk/phpgwapi/inc/class.db_pdo.inc.php     2015-08-25 13:29:40 UTC (rev 
13774)
+++ trunk/phpgwapi/inc/class.db_pdo.inc.php     2015-08-25 20:14:54 UTC (rev 
13775)
@@ -359,13 +359,11 @@
                        {
                                $this->connect();
                        }
-
-                       if(!$exec)
+                       $fetch = true;
+                       if(preg_match('/(^INSERT INTO|^DELETE 
FROM|^CREATE|^DROP|^ALTER|^UPDATE)/i', $sql)) // need it for MySQL and Oracle
                        {
-                               if(preg_match('/(^INSERT INTO|^DELETE 
FROM|^CREATE|^DROP|^ALTER|^UPDATE)/i', $sql)) // need it for MySQL and Oracle
-                               {
-                                       $exec = true;
-                               }
+//                             $exec = true; //ignored
+                               $fetch = false;
                        }
 
                        try
@@ -380,24 +378,28 @@
 */
                                {
                                        $statement_object = 
$this->db->query($sql);
+                                       if($fetch)
+                                       {
 /*
-                                       $num_rows = 
$this->statement_object->rowCount();
-                                       if($num_rows > 200)
-                                       {
-                                               $fetch_single = true;
-                                               $this->fetch_single = 
$fetch_single;
-                                       }
+                                               $num_rows = 
$this->statement_object->rowCount();
+                                               if($num_rows > 200)
+                                               {
+                                                       $fetch_single = true;
+                                                       $this->fetch_single = 
$fetch_single;
+                                               }
 */
-                                       if($fetch_single)
-                                       {
-                                               $this->resultSet = 
$statement_object->fetch($this->pdo_fetchmode);
-                                               $this->statement_object = 
$statement_object;
-                                               unset($statement_object);
+
+                                               if($fetch_single)
+                                               {
+                                                       $this->resultSet = 
$statement_object->fetch($this->pdo_fetchmode);
+                                                       $this->statement_object 
= $statement_object;
+                                                       
unset($statement_object);
+                                               }
+                                               else
+                                               {
+                                                       $this->resultSet = 
$statement_object->fetchAll($this->pdo_fetchmode);
+                                               }
                                        }
-                                       else
-                                       {
-                                               $this->resultSet = 
$statement_object->fetchAll($this->pdo_fetchmode);
-                                       }
                                }
                        }