modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings)

commit: 6ae70cc8499499b5d77d77ec8974f95873edb861 [log] [tgz]
author: Derek Jones <derek.jones@ellislab.com> Tue Apr 19 16:13:48 2011 -0500
committer: Derek Jones <derek.jones@ellislab.com> Tue Apr 19 16:13:48 2011 -0500
tree: 85b39e2ae9018e77f6fe8647b1004f91764001ce
parent: 9ce4385cfc976e309ee12c53726abfd4f066ac3f [diff] [blame]
diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index ccdabce..1949acb 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php

@@ -132,7 +132,22 @@
 	 */
 	function _db_set_charset($charset, $collation)
 	{
-		return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+		static $use_set_names;
+		
+		if ( ! isset($use_set_names))
+		{
+			// mysqli_set_charset() requires MySQL >= 5.0.7, use SET NAMES as fallback
+			$use_set_names = (version_compare(mysql_get_server_info(), '5.0.7', '>=')) ? FALSE : TRUE;
+		}
+
+		if ($use_set_names)
+		{
+			return @mysqli_query($this->conn_id, "SET NAMES '".$this->escape_str($charset)."' COLLATE '".$this->escape_str($collation)."'");
+		}
+		else
+		{
+			return @mysqli_set_charset($this->conn_id, $charset);
+		}
 	}
 
 	// --------------------------------------------------------------------
commit	6ae70cc8499499b5d77d77ec8974f95873edb861	[log] [tgz]
author	Derek Jones <derek.jones@ellislab.com>	Tue Apr 19 16:13:48 2011 -0500
committer	Derek Jones <derek.jones@ellislab.com>	Tue Apr 19 16:13:48 2011 -0500
tree	85b39e2ae9018e77f6fe8647b1004f91764001ce
parent	9ce4385cfc976e309ee12c53726abfd4f066ac3f [diff] [blame]