Fixed bug #15737: quoteStrForLike does not properly escape strings in sql_mode NO_BAC...
authorOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:38:43 +0000 (13:38 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:38:43 +0000 (13:38 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@9778 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_db.php

index e446653..ff6e08b 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
        * Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
        * Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be included (thanks to Fabrizio Branca)
+       * Fixed bug #15737: quoteStrForLike does not properly escape strings in sql_mode NO_BACKSLASH_ESCAPES
 
 2010-12-07  Christian Kuhn  <lolli@schwarzbu.ch>
 
index 4486415..628dbf7 100644 (file)
@@ -1124,12 +1124,39 @@ class t3lib_DB {
                                        );
                                }
                        }
+                       $this->setSqlMode();
                }
 
                return $this->link;
        }
 
        /**
+        * Fixes the SQL mode by unsetting NO_BACKSLASH_ESCAPES if found.
+        *
+        * @return void
+        */
+       protected function setSqlMode() {
+               $resource = $this->sql_query('SELECT @@SESSION.sql_mode;');
+               if (is_resource($resource)) {
+                       $result = $this->sql_fetch_row($resource);
+                       if (isset($result[0]) && $result[0] && strpos($result[0], 'NO_BACKSLASH_ESCAPES') !== FALSE) {
+                               $modes = array_diff(
+                                       t3lib_div::trimExplode(',', $result[0]),
+                                       array('NO_BACKSLASH_ESCAPES')
+                               );
+                               $query = 'SET sql_mode=\'' . mysql_real_escape_string(implode(',', $modes)) . '\';';
+                               $success = $this->sql_query($query);
+
+                               t3lib_div::sysLog(
+                                       'NO_BACKSLASH_ESCAPES could not be removed from SQL mode: ' . $this->sql_error(),
+                                       'Core',
+                                       3
+                               );
+                       }
+               }
+       }
+
+       /**
         * Select a MySQL database
         * mysql_select_db() wrapper function
         * Usage count/core: 8