Merge "SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)
diff --git a/includes/libs/rdbms/database/DatabaseMysqlBase.php b/includes/libs/rdbms/database/DatabaseMysqlBase.php

index f504ec4..fb5fed7 100644 (file)
--- a/includes/libs/rdbms/database/DatabaseMysqlBase.php
+++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php
@@ -608,6 +608,16 @@ abstract class DatabaseMysqlBase extends Database {
          */
         abstract protected function mysqlRealEscapeString( $s );
  
+       public function addQuotes( $s ) {
+               if ( is_bool( $s ) ) {
+                       // Parent would transform to int, which does not play nice with MySQL type juggling.
+                       // When searching for an int in a string column, the strings are cast to int, which
+                       // means false would match any string not starting with a number.
+                       $s = (string)(int)$s;
+               }
+               return parent::addQuotes( $s );
+       }
+
         /**
          * MySQL uses `backticks` for identifier quoting instead of the sql standard "double quotes".
          *
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Tue, 11 Oct 2016 15:31:49 +0000 (15:31 +0000)