From 282dff4f18672c22f171768a983a740d1a8e0096 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 17 Apr 2013 13:33:42 -0400
Subject: [PATCH] Add rcube_db::escape() method, fix escapeSimple() to use escape instead of quote()

---
 plugins/virtuser_query/virtuser_query.php |    6 +++---
 program/lib/Roundcube/rcube_db.php        |   28 ++++++++++++++++++++++------
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/plugins/virtuser_query/virtuser_query.php b/plugins/virtuser_query/virtuser_query.php
index 32522f9..9e3dc90 100644
--- a/plugins/virtuser_query/virtuser_query.php
+++ b/plugins/virtuser_query/virtuser_query.php
@@ -59,7 +59,7 @@
     {
         $dbh = $this->get_dbh();
 
-        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['email']));
+        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['email']));
 
         while ($sql_arr = $dbh->fetch_array($sql_result)) {
             if (strpos($sql_arr[0], '@')) {
@@ -96,7 +96,7 @@
     {
         $dbh = $this->get_dbh();
 
-        $sql_result = $dbh->query(preg_replace('/%m/', $dbh->quote($p['email']), $this->config['user']));
+        $sql_result = $dbh->query(preg_replace('/%m/', $dbh->escape($p['email']), $this->config['user']));
 
         if ($sql_arr = $dbh->fetch_array($sql_result)) {
             $p['user'] = $sql_arr[0];
@@ -112,7 +112,7 @@
     {
         $dbh = $this->get_dbh();
 
-        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->quote($p['user']), $this->config['host']));
+        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['host']));
 
         if ($sql_arr = $dbh->fetch_array($sql_result)) {
             $p['host'] = $sql_arr[0];
diff --git a/program/lib/Roundcube/rcube_db.php b/program/lib/Roundcube/rcube_db.php
index a9163cb..9cda023 100644
--- a/program/lib/Roundcube/rcube_db.php
+++ b/program/lib/Roundcube/rcube_db.php
@@ -634,6 +634,22 @@
     }
 
     /**
+     * Escapes a string so it can be safely used in a query
+     *
+     * @param string $str A string to escape
+     *
+     * @return string Escaped string for use in a query
+     */
+    public function escape($str)
+    {
+        if (is_null($str)) {
+            return 'NULL';
+        }
+
+        return substr($this->quote($str), 1, -1);
+    }
+
+    /**
      * Quotes a string so it can be safely used as a table or column name
      *
      * @param string $str Value to quote
@@ -648,17 +664,17 @@
     }
 
     /**
-     * Quotes a string so it can be safely used as a table or column name
+     * Escapes a string so it can be safely used in a query
      *
-     * @param string $str Value to quote
+     * @param string $str A string to escape
      *
-     * @return string Quoted string for use in query
-     * @deprecated    Replaced by rcube_db::quote
-     * @see           rcube_db::quote
+     * @return string Escaped string for use in a query
+     * @deprecated    Replaced by rcube_db::escape
+     * @see           rcube_db::escape
      */
     public function escapeSimple($str)
     {
-        return $this->quote($str);
+        return $this->escape($str);
     }
 
     /**

--
Gitblit v1.9.1