From f1f72ff9ddcfdeda9c05251ef410ff1dec238405 Mon Sep 17 00:00:00 2001
From: mcramer <m.cramer@pixcept.de>
Date: Mon, 07 Jan 2013 10:17:09 -0500
Subject: [PATCH] Fixed: FS#2608 - Certain complex database passwords are not escaped properly (MySQL) - passwords are now enrypted already in tform (and remoting) and not stored in datalog clear text - clientdb plugin no longer encrypts password itself but receives crypted password
---
interface/lib/classes/tform.inc.php | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index b0b727c..bd28db4 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -687,7 +687,7 @@
}
break;
case 'INTEGER':
- $new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
+ $new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
//if($new_record[$key] != $record[$key]) $new_record[$key] = $field['default'];
//if($key == 'refresh') die($record[$key]);
break;
@@ -856,7 +856,7 @@
}
break;
case 'ISINT':
- if(function_exists('filter_var')) {
+ if(function_exists('filter_var') && $field_value < 2147483647) {
if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT) === false) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -1057,7 +1057,9 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} elseif ($field['encryption'] == 'MYSQL') {
- $sql_insert_val .= "PASSWORD('".$app->db->quote($record[$key])."'), ";
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $record[$key] = $tmp['crypted'];
+ $sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} elseif ($field['encryption'] == 'CLEARTEXT') {
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} else {
@@ -1084,7 +1086,9 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
- $sql_update .= "`$key` = PASSWORD('".$app->db->quote($record[$key])."'), ";
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $record[$key] = $tmp['crypted'];
+ $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'CLEARTEXT') {
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} else {
--
Gitblit v1.9.1