From 496972bf95e2ddbf01cb5e50a6a594615744d942 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 12 Mar 2015 09:44:31 +0100 Subject: Fix backtick character handling in sql queries (#1490312) --- program/lib/Roundcube/rcube_db.php | 12 +++++++----- program/lib/Roundcube/rcube_db_oracle.php | 9 +++++++-- 2 files changed, 14 insertions(+), 7 deletions(-) (limited to 'program/lib') diff --git a/program/lib/Roundcube/rcube_db.php b/program/lib/Roundcube/rcube_db.php index 2cacb3013..a31b2005d 100644 --- a/program/lib/Roundcube/rcube_db.php +++ b/program/lib/Roundcube/rcube_db.php @@ -448,10 +448,15 @@ class rcube_db } } - // replace escaped '?' back to normal, see self::quote() - $query = str_replace('??', '?', $query); $query = rtrim($query, " \t\n\r\0\x0B;"); + // replace escaped '?' and quotes back to normal, see self::quote() + $query = str_replace( + array('??', self::DEFAULT_QUOTE.self::DEFAULT_QUOTE), + array('?', self::DEFAULT_QUOTE), + $query + ); + // log query $this->debug($query); @@ -516,9 +521,6 @@ class rcube_db } } - // replace escaped quote back to normal, see self::quote() - $query = str_replace($quote.$quote, $quote, $query); - return $query; } diff --git a/program/lib/Roundcube/rcube_db_oracle.php b/program/lib/Roundcube/rcube_db_oracle.php index 34e4e69f8..bb033884c 100644 --- a/program/lib/Roundcube/rcube_db_oracle.php +++ b/program/lib/Roundcube/rcube_db_oracle.php @@ -155,10 +155,15 @@ class rcube_db_oracle extends rcube_db } } - // replace escaped '?' back to normal, see self::quote() - $query = str_replace('??', '?', $query); $query = rtrim($query, " \t\n\r\0\x0B;"); + // replace escaped '?' and quotes back to normal, see self::quote() + $query = str_replace( + array('??', self::DEFAULT_QUOTE.self::DEFAULT_QUOTE), + array('?', self::DEFAULT_QUOTE), + $query + ); + // log query $this->debug($query); -- cgit v1.2.3