From: Brion Vibber <brion@users.mediawiki.org>
Date: Thu, 20 Dec 2007 01:16:14 +0000 (+0000)
Subject: Use addQuotes() consistently when building lists of group and user names.
X-Git-Tag: 1.31.0-rc.0~50334
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/voir.php?a=commitdiff_plain;h=e74c59d21680811b1cf32f825c4d0edd3bf2887c;p=lhc%2Fweb%2Fwiklou.git

Use addQuotes() consistently when building lists of group and user names.
Some were missing the quoting, using raw strencode(). This caused mysql errors at best, and hypothetically could be used for some kind of sql injection. :)

I'd recommend making further refactoring to use the query-building functions ($db->select, $db->update, etc) to avoid having to do these by hand.
---

diff --git a/maintenance/rebuildrecentchanges.inc b/maintenance/rebuildrecentchanges.inc
index 125de551a7..56e9e1f07a 100644
--- a/maintenance/rebuildrecentchanges.inc
+++ b/maintenance/rebuildrecentchanges.inc
@@ -107,10 +107,10 @@ function rebuildRecentChangesTablePass3()
 	$botgroups = $autopatrolgroups = array();
 	foreach( $wgGroupPermissions as $group => $rights ) {
 		if( isset( $rights['bot'] ) && $rights['bot'] == true ) {
-			$botgroups[] = "'" . $dbw->strencode( $group ) . "'";
+			$botgroups[] = $dbw->addQuotes( $group );
 		}
 		if( $wgUseRCPatrol && isset( $rights['autopatrol'] ) && $rights['autopatrol'] == true ) {
-			$autopatrolgroups[] = "'" . $dbw->strencode( $group ) . "'";
+			$autopatrolgroups[] = $dbw->addQuotes( $group );
 		}
 	}
 	# Flag our recent bot edits
@@ -126,7 +126,7 @@ function rebuildRecentChangesTablePass3()
 		$res = $dbw->query( $sql, DB_MASTER );
 
 		while( $obj = $dbw->fetchObject( $res ) ) {
-			$botusers[] = $dbw->strencode( $obj->user_name );
+			$botusers[] = $dbw->addQuotes( $obj->user_name );
 		}
 		# Fill in the rc_bot field
 		if( !empty($botusers) ) {
@@ -149,7 +149,7 @@ function rebuildRecentChangesTablePass3()
 		$res = $dbw->query( $sql, DB_MASTER );
 
 		while( $obj = $dbw->fetchObject( $res ) ) {
-			$patrolusers[] = $dbw->strencode( $obj->user_name );
+			$patrolusers[] = $dbw->addQuotes( $obj->user_name );
 		}
 		
 		# Fill in the rc_patrolled field