From 8f56d1f55e5f4ecd19461b7bd08a96d33ea9e569 Mon Sep 17 00:00:00 2001
From: Mattias Michaux <mattias.michaux@gmail.com>
Date: Wed, 25 May 2016 21:11:34 +0200
Subject: [PATCH] Additional mysqli fixes/enhancements.

---
 CRM/Core/DAO.php                           | 27 +++++++++-------------
 CRM/Import/DataSource/CSV.php              | 15 +-----------
 CRM/Report/Form/Mailing/Detail.php         |  2 +-
 CRM/Report/Form/Mailing/Summary.php        |  2 +-
 tests/phpunit/CRM/Core/TransactionTest.php |  3 +--
 5 files changed, 15 insertions(+), 34 deletions(-)

diff --git a/CRM/Core/DAO.php b/CRM/Core/DAO.php
index b80c09223b..3c8cbb65eb 100644
--- a/CRM/Core/DAO.php
+++ b/CRM/Core/DAO.php
@@ -1390,11 +1390,7 @@ FROM   civicrm_domain
 
     foreach ($ids as $id) {
       if (isset($_DB_DATAOBJECT['RESULTS'][$id])) {
-        if (is_resource($_DB_DATAOBJECT['RESULTS'][$id]->result)) {
-          // @fixme mysql_free_result() does not exist in PHP7.
-          // No fatal error, however, because mysqli result is not a resource.
-          mysql_free_result($_DB_DATAOBJECT['RESULTS'][$id]->result);
-        }
+        $_DB_DATAOBJECT['RESULTS'][$id]->free();
         unset($_DB_DATAOBJECT['RESULTS'][$id]);
       }
 
@@ -1634,22 +1630,21 @@ SELECT contact_id
    */
   public static function escapeString($string) {
     static $_dao = NULL;
-
     if (!$_dao) {
-      // If this is an atypical case (e.g. preparing .sql files
-      // before Civi has been installed), then we fallback to
-      // DB-less escaping helper (addslashes). This is unsafe
-      // so should only be used on trusted strings.
-      // Note: In typical usage, escapeString() will only
-      // check one conditional ("if !$_dao") rather than
-      // two conditionals ("if !defined(DSN)")
+      // If this is an atypical case (e.g. preparing .sql file before CiviCRM
+      // has been installed), then we fallback DB-less str_replace escaping, as
+      // we can't use mysqli_real_escape_string, as there is no DB connection.
+      // Note: In typical usage, escapeString() will only check one conditional
+      // ("if !$_dao") rather than two conditionals ("if !defined(DSN)")
       if (!defined('CIVICRM_DSN')) {
-        return addslashes($string);
+        // See http://php.net/manual/en/mysqli.real-escape-string.php for the
+        // list of characters mysqli_real_escape_string escapes.
+        $search = array("\\",  "\x00", "\n",  "\r",  "'",  '"', "\x1a");
+        $replace = array("\\\\","\\0","\\n", "\\r", "\'", '\"', "\\Z");
+        return str_replace($search, $replace, $string);
       }
-
       $_dao = new CRM_Core_DAO();
     }
-
     return $_dao->escape($string);
   }
 
diff --git a/CRM/Import/DataSource/CSV.php b/CRM/Import/DataSource/CSV.php
index 89c7f22cc0..72b980000f 100644
--- a/CRM/Import/DataSource/CSV.php
+++ b/CRM/Import/DataSource/CSV.php
@@ -235,7 +235,7 @@ class CRM_Import_DataSource_CSV extends CRM_Import_DataSource {
         function($string) {
           return trim($string, chr(0xC2) . chr(0xA0));
         }, $row);
-      $row = array_map('civicrm_mysql_real_escape_string', $row);
+      $row = array_map(array('CRM_Core_DAO', 'escapeString'), $row);
       $sql .= "('" . implode("', '", $row) . "')";
       $count++;
 
@@ -263,16 +263,3 @@ class CRM_Import_DataSource_CSV extends CRM_Import_DataSource {
   }
 
 }
-
-/**
- * @param $string
- *
- * @return string
- */
-function civicrm_mysql_real_escape_string($string) {
-  static $dao = NULL;
-  if (!$dao) {
-    $dao = new CRM_Core_DAO();
-  }
-  return $dao->escape($string);
-}
diff --git a/CRM/Report/Form/Mailing/Detail.php b/CRM/Report/Form/Mailing/Detail.php
index 19bcee840b..ef9e291eb9 100644
--- a/CRM/Report/Form/Mailing/Detail.php
+++ b/CRM/Report/Form/Mailing/Detail.php
@@ -452,7 +452,7 @@ class CRM_Report_Form_Mailing_Detail extends CRM_Report_Form {
     $mailing->query($query);
 
     while ($mailing->fetch()) {
-      $data[$mailing->escape($mailing->name)] = $mailing->name;
+      $data[CRM_Core_DAO::escapeString($mailing->name)] = $mailing->name;
     }
 
     return $data;
diff --git a/CRM/Report/Form/Mailing/Summary.php b/CRM/Report/Form/Mailing/Summary.php
index deecbd83ec..02cb9bf715 100644
--- a/CRM/Report/Form/Mailing/Summary.php
+++ b/CRM/Report/Form/Mailing/Summary.php
@@ -298,7 +298,7 @@ class CRM_Report_Form_Mailing_Summary extends CRM_Report_Form {
     $mailing->query($query);
 
     while ($mailing->fetch()) {
-      $data[$mailing->escape($mailing->name)] = $mailing->name;
+      $data[CRM_Core_DAO::escapeString($mailing->name)] = $mailing->name;
     }
 
     return $data;
diff --git a/tests/phpunit/CRM/Core/TransactionTest.php b/tests/phpunit/CRM/Core/TransactionTest.php
index 6b9de0353e..60a9312284 100644
--- a/tests/phpunit/CRM/Core/TransactionTest.php
+++ b/tests/phpunit/CRM/Core/TransactionTest.php
@@ -362,8 +362,7 @@ class CRM_Core_TransactionTest extends CiviUnitTestCase {
 
     if ($insert == 'sql-insert') {
       $r = CRM_Core_DAO::executeQuery("INSERT INTO civicrm_contact(first_name,last_name) VALUES ('ff', 'll')");
-      // @fixme mysql_insert_id() does not exist in PHP7.
-      $cid = mysql_insert_id();
+      $cid = mysqli_insert_id($r->getConnection()->connection);
     }
     elseif ($insert == 'bao-create') {
       $params = array(
-- 
2.25.1