From e74c59d21680811b1cf32f825c4d0edd3bf2887c Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 20 Dec 2007 01:16:14 +0000 Subject: [PATCH] Use addQuotes() consistently when building lists of group and user names. Some were missing the quoting, using raw strencode(). This caused mysql errors at best, and hypothetically could be used for some kind of sql injection. :) I'd recommend making further refactoring to use the query-building functions ($db->select, $db->update, etc) to avoid having to do these by hand. --- maintenance/rebuildrecentchanges.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/maintenance/rebuildrecentchanges.inc b/maintenance/rebuildrecentchanges.inc index 125de551a7..56e9e1f07a 100644 --- a/maintenance/rebuildrecentchanges.inc +++ b/maintenance/rebuildrecentchanges.inc @@ -107,10 +107,10 @@ function rebuildRecentChangesTablePass3() $botgroups = $autopatrolgroups = array(); foreach( $wgGroupPermissions as $group => $rights ) { if( isset( $rights['bot'] ) && $rights['bot'] == true ) { - $botgroups[] = "'" . $dbw->strencode( $group ) . "'"; + $botgroups[] = $dbw->addQuotes( $group ); } if( $wgUseRCPatrol && isset( $rights['autopatrol'] ) && $rights['autopatrol'] == true ) { - $autopatrolgroups[] = "'" . $dbw->strencode( $group ) . "'"; + $autopatrolgroups[] = $dbw->addQuotes( $group ); } } # Flag our recent bot edits @@ -126,7 +126,7 @@ function rebuildRecentChangesTablePass3() $res = $dbw->query( $sql, DB_MASTER ); while( $obj = $dbw->fetchObject( $res ) ) { - $botusers[] = $dbw->strencode( $obj->user_name ); + $botusers[] = $dbw->addQuotes( $obj->user_name ); } # Fill in the rc_bot field if( !empty($botusers) ) { @@ -149,7 +149,7 @@ function rebuildRecentChangesTablePass3() $res = $dbw->query( $sql, DB_MASTER ); while( $obj = $dbw->fetchObject( $res ) ) { - $patrolusers[] = $dbw->strencode( $obj->user_name ); + $patrolusers[] = $dbw->addQuotes( $obj->user_name ); } # Fill in the rc_patrolled field -- 2.20.1