Remove excessive SQL quotes filtering adding risk to queries (done better) - refs BT#13285

ywarnier · ywarnier · commit 4ffe5edb442d · 2017-09-27T02:20:15.000+02:00
diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php
@@ -248,8 +248,12 @@ public static function escape_sql_wildcards($text)
     public static function escape_string($string)
     {
         $string = self::getManager()->getConnection()->quote($string);
-
-        return trim($string, "'");
+        // The quote method from PDO also adds quotes around the string, which
+        // is not how the legacy mysql_real_escape_string() was used in
+        // Chamilo, so we need to remove the quotes around. Using trim will
+        // remove more than one quote if they are sequenced, generating
+        // broken queries and SQL injection risks
+        return substr($string, 1, -1);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -248,8 +248,12 @@ public static function escape_sql_wildcards($text)`
`248`	`248`	`public static function escape_string($string)`
`249`	`249`	`{`
`250`	`250`	`$string = self::getManager()->getConnection()->quote($string);`
`251`		`-`
`252`		`- return trim($string, "'");`
	`251`	`+ // The quote method from PDO also adds quotes around the string, which`
	`252`	`+ // is not how the legacy mysql_real_escape_string() was used in`
	`253`	`+ // Chamilo, so we need to remove the quotes around. Using trim will`
	`254`	`+ // remove more than one quote if they are sequenced, generating`
	`255`	`+ // broken queries and SQL injection risks`
	`256`	`+ return substr($string, 1, -1);`
`253`	`257`	`}`
`254`	`258`
`255`	`259`	`/**`