From c428c2cf364859a1b17e733f7166f9dac70919da Mon Sep 17 00:00:00 2001 From: Alexander Mashin Date: Sun, 1 Oct 2017 00:46:51 +0000 Subject: [PATCH] Ensure only strings are passed to mysql_real_escape_string() Under some conditions (Semantic MediaWiki, Gadgets), an integer is passed to DatabaseMysqli::mysqlRealEscapeString (). This integer is, in turn, passed to mysqli::real_escape_string (), which needs a string. Under HHVM 3.19.1 (at least) this type mismatch causes an exception. A typecast should prevent it. I repeated the patch in other DB drivers where I could find a function that escaped strings for SQL. Bug: T163646 Change-Id: I1b7820bc064dc79498cf9f17747f745990c526b7 --- includes/libs/rdbms/database/DatabaseMssql.php | 1 - includes/libs/rdbms/database/DatabaseMysql.php | 2 +- includes/libs/rdbms/database/DatabaseMysqli.php | 2 +- includes/libs/rdbms/database/DatabasePostgres.php | 4 ++-- includes/libs/rdbms/database/DatabaseSqlite.php | 6 +++--- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/includes/libs/rdbms/database/DatabaseMssql.php b/includes/libs/rdbms/database/DatabaseMssql.php index 4ebc6233ed..8a69eec428 100644 --- a/includes/libs/rdbms/database/DatabaseMssql.php +++ b/includes/libs/rdbms/database/DatabaseMssql.php @@ -1065,7 +1065,6 @@ class DatabaseMssql extends Database { */ public function strencode( $s ) { // Should not be called by us - return str_replace( "'", "''", $s ); } diff --git a/includes/libs/rdbms/database/DatabaseMysql.php b/includes/libs/rdbms/database/DatabaseMysql.php index d81d9096fd..58b092669b 100644 --- a/includes/libs/rdbms/database/DatabaseMysql.php +++ b/includes/libs/rdbms/database/DatabaseMysql.php @@ -203,7 +203,7 @@ class DatabaseMysql extends DatabaseMysqlBase { protected function mysqlRealEscapeString( $s ) { $conn = $this->getBindingHandle(); - return mysql_real_escape_string( $s, $conn ); + return mysql_real_escape_string( (string)$s, $conn ); } } diff --git a/includes/libs/rdbms/database/DatabaseMysqli.php b/includes/libs/rdbms/database/DatabaseMysqli.php index 4c3cbddf76..c1a56988d5 100644 --- a/includes/libs/rdbms/database/DatabaseMysqli.php +++ b/includes/libs/rdbms/database/DatabaseMysqli.php @@ -316,7 +316,7 @@ class DatabaseMysqli extends DatabaseMysqlBase { protected function mysqlRealEscapeString( $s ) { $conn = $this->getBindingHandle(); - return $conn->real_escape_string( $s ); + return $conn->real_escape_string( (string)$s ); } /** diff --git a/includes/libs/rdbms/database/DatabasePostgres.php b/includes/libs/rdbms/database/DatabasePostgres.php index 5719a1fcea..5a7da4976f 100644 --- a/includes/libs/rdbms/database/DatabasePostgres.php +++ b/includes/libs/rdbms/database/DatabasePostgres.php @@ -1175,7 +1175,7 @@ SQL; public function strencode( $s ) { // Should not be called by us - return pg_escape_string( $this->getBindingHandle(), $s ); + return pg_escape_string( $this->getBindingHandle(), (string)$s ); } public function addQuotes( $s ) { @@ -1196,7 +1196,7 @@ SQL; return 'DEFAULT'; } - return "'" . pg_escape_string( $conn, $s ) . "'"; + return "'" . pg_escape_string( $conn, (string)$s ) . "'"; } /** diff --git a/includes/libs/rdbms/database/DatabaseSqlite.php b/includes/libs/rdbms/database/DatabaseSqlite.php index 870fc3eeca..2b0660707c 100644 --- a/includes/libs/rdbms/database/DatabaseSqlite.php +++ b/includes/libs/rdbms/database/DatabaseSqlite.php @@ -790,7 +790,7 @@ class DatabaseSqlite extends Database { return "x'" . bin2hex( $s->fetch() ) . "'"; } elseif ( is_bool( $s ) ) { return (int)$s; - } elseif ( strpos( $s, "\0" ) !== false ) { + } elseif ( strpos( (string)$s, "\0" ) !== false ) { // SQLite doesn't support \0 in strings, so use the hex representation as a workaround. // This is a known limitation of SQLite's mprintf function which PDO // should work around, but doesn't. I have reported this to php.net as bug #63419: @@ -806,9 +806,9 @@ class DatabaseSqlite extends Database { 'For consistency all binary data should have been ' . 'first processed with self::encodeBlob()' ); - return "x'" . bin2hex( $s ) . "'"; + return "x'" . bin2hex( (string)$s ) . "'"; } else { - return $this->mConn->quote( $s ); + return $this->mConn->quote( (string)$s ); } } -- 2.20.1