replace mysql_escape_string with the characterset safe mysql_real_escape_string.

This raises the requirement for the myqsl backend to PHP 4.3.0.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13122 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/plugins/change_password/README b/plugins/change_password/README
index 028368c8d446491b130e1d0cbede6e312965cf07..d7fb39ec90ff7fa5b5383c365c3668fa5d64ba06 100644 (file)
--- a/plugins/change_password/README
+++ b/plugins/change_password/README
@@ -16,7 +16,7 @@ REQUIREMENTS:
   Mhash extension and system crypt libraries that support crypto
   used on LDAP server. It might need PHP LDAP extension with SSL
   support, if LDAP server requires it.
-- mysql backend needs PHP MySQL extension.
+- mysql backend needs PHP MySQL extension and PHP 4.3 or later.
 - merak backend needs PHP Curl extension.
 - peardb backend needs PHP Pear DB libraries (v.1.6.0 or newer) and 
   PHP extension that is used to connect to database.

diff --git a/plugins/change_password/backend/mysql.php b/plugins/change_password/backend/mysql.php
index 15edaab309537d5b8a6917e0e4c3f997da32aed4..5c214d93aca244e17ce5fe528215167272c4c87b 100644 (file)
--- a/plugins/change_password/backend/mysql.php
+++ b/plugins/change_password/backend/mysql.php
@@ -90,16 +90,16 @@ function cpw_mysql_dochange($data)
 
     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                   . ' FROM '  . $mysql_table
-                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
+                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
                   . ' AND ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
-        $query_string  .= '=password("'.mysql_escape_string($curpw).'")';
+        $query_string  .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
     } elseif ($mysql_unixcrypt) {
         // FIXME: why password field name is used for salting
-        $query_string  .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
+        $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
     } else {
-        $query_string  .= '="' . mysql_escape_string($curpw) . '"';
+        $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
     }
 
     $select_result = mysql_query($query_string, $ds);
@@ -121,18 +121,18 @@ function cpw_mysql_dochange($data)
     $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
-        $update_string  .= '=password("'.mysql_escape_string($newpw).'")';
+        $update_string  .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
     } elseif ($mysql_unixcrypt) {
         // FIXME: use random salt when you create new password
-        $update_string  .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
+        $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
     } else {
-        $update_string  .= '="' . mysql_escape_string($newpw) . '"';
+        $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
     }
-    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';
 
     if (!mysql_query($update_string, $ds)) {
         array_push($msgs, _("Password change was not successful!"));
     }
 
     return $msgs;
-}
\ No newline at end of file
+}