Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 2.0, 2.1.2, 2.1.4, 2.1.5, 2.1.7, 2.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 3.0
-
Component/s: Core CiviCRM
-
Labels:None
Description
Most of the time we rely on the DB_DataObject library to handle query construction and escaping, but in areas where we manually construct queries based on user input we use add_slashes to sanitize strings. add_slashes() escapes
\ ' " NUL (ASCII 0)
However MySQL requires additional characters to be escaped:
\n \r \x1a (Control-Z)
\n and \r will only break CSV imports/exports depending upon server settings. Though this is easily fixable and not a security vulnerability. \Z is the "end of file" character in Windoze. Having it in the database will just break SQL dumps (though also in an easily fixable way) and is also not a security vulnerability.
We just need to do a code-wide replacement of
add_slashes(
with
mysqli_real_escape_string(