From: Gergő Tisza Date: Thu, 6 Oct 2016 17:39:08 +0000 (+0000) Subject: SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase X-Git-Tag: 1.31.0-rc.0~5156^2 X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/Foo_bar?a=commitdiff_plain;h=24a108b334f94c5f304c6e6be2ff34b096be027c;p=lhc%2Fweb%2Fwiklou.git SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase Comparing a string column to 0 will produce spurious matches, and it is easy to get a false value in unexpected places. Comparing an int column to '0' does not seem to cause any problems. Bug: T147537 Change-Id: I5ad547de509b3417b5937be6bdda9befb8aed8b6 --- diff --git a/includes/libs/rdbms/database/DatabaseMysqlBase.php b/includes/libs/rdbms/database/DatabaseMysqlBase.php index d654429317..b1c18b69a8 100644 --- a/includes/libs/rdbms/database/DatabaseMysqlBase.php +++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php @@ -608,6 +608,16 @@ abstract class DatabaseMysqlBase extends Database { */ abstract protected function mysqlRealEscapeString( $s ); + public function addQuotes( $s ) { + if ( is_bool( $s ) ) { + // Parent would transform to int, which does not play nice with MySQL type juggling. + // When searching for an int in a string column, the strings are cast to int, which + // means false would match any string not starting with a number. + $s = (string)(int)$s; + } + return parent::addQuotes( $s ); + } + /** * MySQL uses `backticks` for identifier quoting instead of the sql standard "double quotes". *