From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 8 May 2008 14:25:42 +0000 (+0000)
Subject: replace mysql_escape_string with the characterset safe mysql_real_escape_string.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=8f16b6ce73e9426a8605aa5ef98650bbfe6f09b9;p=squirrelmail.git

replace mysql_escape_string with the characterset safe mysql_real_escape_string.
This raises the requirement for the myqsl backend to PHP 4.3.0.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13122 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/plugins/change_password/README b/plugins/change_password/README
index 028368c8..d7fb39ec 100644
--- a/plugins/change_password/README
+++ b/plugins/change_password/README
@@ -16,7 +16,7 @@ REQUIREMENTS:
   Mhash extension and system crypt libraries that support crypto
   used on LDAP server. It might need PHP LDAP extension with SSL
   support, if LDAP server requires it.
-- mysql backend needs PHP MySQL extension.
+- mysql backend needs PHP MySQL extension and PHP 4.3 or later.
 - merak backend needs PHP Curl extension.
 - peardb backend needs PHP Pear DB libraries (v.1.6.0 or newer) and 
   PHP extension that is used to connect to database.
diff --git a/plugins/change_password/backend/mysql.php b/plugins/change_password/backend/mysql.php
index 15edaab3..5c214d93 100644
--- a/plugins/change_password/backend/mysql.php
+++ b/plugins/change_password/backend/mysql.php
@@ -90,16 +90,16 @@ function cpw_mysql_dochange($data)
 
     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                   . ' FROM '  . $mysql_table
-                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
+                  . ' WHERE ' . $mysql_userid_field . '="' . mysql_real_escape_string($username, $ds) .'"'
                   . ' AND ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
-        $query_string  .= '=password("'.mysql_escape_string($curpw).'")';
+        $query_string  .= '=password("'.mysql_real_escape_string($curpw, $ds).'")';
     } elseif ($mysql_unixcrypt) {
         // FIXME: why password field name is used for salting
-        $query_string  .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
+        $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", '.$mysql_password_field . ')';
     } else {
-        $query_string  .= '="' . mysql_escape_string($curpw) . '"';
+        $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
     }
 
     $select_result = mysql_query($query_string, $ds);
@@ -121,18 +121,18 @@ function cpw_mysql_dochange($data)
     $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
 
     if ($mysql_saslcrypt) {
-        $update_string  .= '=password("'.mysql_escape_string($newpw).'")';
+        $update_string  .= '=password("'.mysql_real_escape_string($newpw, $ds).'")';
     } elseif ($mysql_unixcrypt) {
         // FIXME: use random salt when you create new password
-        $update_string  .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
+        $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", '.$mysql_password_field . ')';
     } else {
-        $update_string  .= '="' . mysql_escape_string($newpw) . '"';
+        $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
     }
-    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_real_escape_string($username, $ds) . '"';
 
     if (!mysql_query($update_string, $ds)) {
         array_push($msgs, _("Password change was not successful!"));
     }
 
     return $msgs;
-}
\ No newline at end of file
+}