dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ecf9fc3)
Use addQuotes() consistently when building lists of group and user names.
authorBrion Vibber <brion@users.mediawiki.org>
Thu, 20 Dec 2007 01:16:14 +0000 (01:16 +0000)
committerBrion Vibber <brion@users.mediawiki.org>
Thu, 20 Dec 2007 01:16:14 +0000 (01:16 +0000)
Some were missing the quoting, using raw strencode(). This caused mysql errors at best, and hypothetically could be used for some kind of sql injection. :)

I'd recommend making further refactoring to use the query-building functions ($db->select, $db->update, etc) to avoid having to do these by hand.

maintenance/rebuildrecentchanges.inc patch | blob | history

diff --git a/maintenance/rebuildrecentchanges.inc b/maintenance/rebuildrecentchanges.inc
index 125de55..56e9e1f 100644 (file)
--- a/maintenance/rebuildrecentchanges.inc
+++ b/maintenance/rebuildrecentchanges.inc
@@ -107,10 +107,10 @@ function rebuildRecentChangesTablePass3()
        $botgroups = $autopatrolgroups = array();
        foreach( $wgGroupPermissions as $group => $rights ) {
                if( isset( $rights['bot'] ) && $rights['bot'] == true ) {
-                       $botgroups[] = "'" . $dbw->strencode( $group ) . "'";
+                       $botgroups[] = $dbw->addQuotes( $group );
                }
                if( $wgUseRCPatrol && isset( $rights['autopatrol'] ) && $rights['autopatrol'] == true ) {
-                       $autopatrolgroups[] = "'" . $dbw->strencode( $group ) . "'";
+                       $autopatrolgroups[] = $dbw->addQuotes( $group );
                }
        }
        # Flag our recent bot edits
@@ -126,7 +126,7 @@ function rebuildRecentChangesTablePass3()
                $res = $dbw->query( $sql, DB_MASTER );
 
                while( $obj = $dbw->fetchObject( $res ) ) {
-                       $botusers[] = $dbw->strencode( $obj->user_name );
+                       $botusers[] = $dbw->addQuotes( $obj->user_name );
                }
                # Fill in the rc_bot field
                if( !empty($botusers) ) {
@@ -149,7 +149,7 @@ function rebuildRecentChangesTablePass3()
                $res = $dbw->query( $sql, DB_MASTER );
 
                while( $obj = $dbw->fetchObject( $res ) ) {
-                       $patrolusers[] = $dbw->strencode( $obj->user_name );
+                       $patrolusers[] = $dbw->addQuotes( $obj->user_name );
                }
                
                # Fill in the rc_patrolled field
Wiklou, le Wiki du Wiklou