From 24a108b334f94c5f304c6e6be2ff34b096be027c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gerg=C5=91=20Tisza?= Date: Thu, 6 Oct 2016 17:39:08 +0000 Subject: [PATCH] SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase Comparing a string column to 0 will produce spurious matches, and it is easy to get a false value in unexpected places. Comparing an int column to '0' does not seem to cause any problems. Bug: T147537 Change-Id: I5ad547de509b3417b5937be6bdda9befb8aed8b6 --- includes/libs/rdbms/database/DatabaseMysqlBase.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/includes/libs/rdbms/database/DatabaseMysqlBase.php b/includes/libs/rdbms/database/DatabaseMysqlBase.php index d654429317..b1c18b69a8 100644 --- a/includes/libs/rdbms/database/DatabaseMysqlBase.php +++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php @@ -608,6 +608,16 @@ abstract class DatabaseMysqlBase extends Database { */ abstract protected function mysqlRealEscapeString( $s ); + public function addQuotes( $s ) { + if ( is_bool( $s ) ) { + // Parent would transform to int, which does not play nice with MySQL type juggling. + // When searching for an int in a string column, the strings are cast to int, which + // means false would match any string not starting with a number. + $s = (string)(int)$s; + } + return parent::addQuotes( $s ); + } + /** * MySQL uses `backticks` for identifier quoting instead of the sql standard "double quotes". * -- 2.20.1