[pLog-svn] Fwd: gallery changes for apostrophes
Jon Daley
plogworld at jon.limedaley.com
Wed Jul 5 16:40:26 GMT 2006
I assume this was recently broken, unless it has always been broken. If
you upload an image to the resources that contains an apostrophe, it will
be correctly loaded into the database (ie. with an escaped apostrophe) but
the image can never be retrieved, since the linkparser doesn't allow
apostrophes in the resource name.
Here is a patch that will allow it to work (probably there are a couple
other places in galleryresources.class.php that need to quote the string
as well.
However, I didn't check this in because maybe we should just strip out the
apostrophes on upload, to avoid sql injection sorts of things.
Diff on the 1.0.6 branch.
Index: net/linkparser.class.php
===================================================================
--- net/linkparser.class.php (revision 3693)
+++ net/linkparser.class.php (working copy)
@@ -25,7 +25,7 @@
'{userid}' => '([0-9]+)?',
'{templatename}' => '([_0-9a-zA-Z-.]+)?',
'{resourceid}' => '([0-9]+)?',
- '{resourcename}' => '([0-9a-zA-Z_\-\.\,\\ \(\)\[\]]+)?',
+ '{resourcename}' => '([0-9a-zA-Z_\'\-\.\,\\ \(\)\[\]]+)?',
'{albumid}' => '([0-9]+)?',
'{albumname}' => '([0-9a-zA-Z_\-\.\,\\ \(\)\[\]]+)?'
);
Index: gallery/dao/galleryresources.class.php
===================================================================
--- gallery/dao/galleryresources.class.php (revision 3693)
+++ gallery/dao/galleryresources.class.php (working copy)
@@ -659,7 +659,7 @@
metadata, thumbnail_format
FROM ".$this->getPrefix()."gallery_resources
WHERE owner_id = $ownerId AND
- file_name = '$fileName'";
+ file_name = '".Db::qstr($fileName)."'";
if( $albumId > 0 )
$query .= " AND album_id = $albumId";
More information about the pLog-svn
mailing list