- Previous thread: dmesg output
- Next thread: Computer overheating
- Threads sorted by date: debian 200910
Hi everyone
We had a few issues in the past with insufficient database escaping, which =
lead=20
to possible SQL injections due to the use of the deprecated functions=20
mysql_escape_string() and PQescapeString().
These functions do not take the encoding of the established connection into=
=20
account, which can lead to insufficient escaping, if the encoding of this=20
connection can be set to certain multibyte character encodings (such as GBK=
).
I found the explanation given in this email[0] quite useful to elaborate on=
=20
the thread.
In order to prevent this issue, the new functions mysql_real_escape_string()
[1] and PQescapeStringConn()[2] have been added, which honour the specific=
=20
encoding of the connection.
Thanks to Kees, I have prepared a list of packages (below) that are still=20
using the deprecated functions. Apologies for all false-positives, I've tri=
ed=20
to eliminate as many as possible. If you find your package in the list belo=
w,=20
please have a look at the code and check, if you can change to the new=20
functions.=20
You are likely vulnerable to an SQL injection attack, if you only rely on t=
he=20
deprecated functions for escaping (or have some self-made escaping for that=
=20
matter) AND if it is possible to set the client encoding.
If other encodings, such as UTF-8, are used, you are not vulnerable, so che=
ck=20
that as well, please.
In the near future, I will try to do the archive scan again and file bugs w=
ith=20
severity "normal" for the packages below that are still relying on the=20
deprecated functions. (Should they be found vulnerable, the severity will b=
e=20
raised of course).
If you are in doubt about anything or if you found that your package is=20
vulnerable, please contact the security team (team@security.debian.org).
Cheers
Steffen
[0]: http://www.mail-archive.com/pgsql-hackers@postgresql.org/msg71061.html
[1]: http://dev.mysql.com/doc/refman/5.0/es/mysql-real-escape-string.html
[2]: http://www.postgresql.org/docs/8.4/static/libpq-exec.html
ampache: Charlie Smotherman =
=20
./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $file=
nam2=20
=3D mysql_escape_string($filename); =20
./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $res2=
=3D=20
mysql_escape_string(serialize($result)); =20
asterisk-addons: Debian VoIP Team
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(clid, cdr->clid, strlen(cdr->clid));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dcontext, cdr->dcontext, strlen(cdr->dcontext));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(channel, cdr->channel, strlen(cdr->channel)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dstchannel, cdr->dstchannel, strlen(cdr->dstchannel));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(lastapp, cdr->lastapp, strlen(cdr->lastapp)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(lastdata, cdr->lastdata, strlen(cdr->lastdata)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(src, cdr->src, strlen(cdr->src)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dst, cdr->dst, strlen(cdr->dst)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(accountcode, cdr->accountcode, strlen(cdr->accountcode)=
);
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(uniqueid, cdr->uniqueid, strlen(cdr->uniqueid)); =
=20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(userfielddata, cdr->userfield, strlen(cdr->userfield));=
=20
b2evolution: Xavier Luthi
./b2evolution-2.4.7/blogs/inc/_core/model/db/_db.class.php: ret=
urn=20
mysql_escape_string( $unescaped_string );
boinc: Debian BOINC Maintainers
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_signature.php: $query =
=3D=20
"update forum_preferences set signature =3D '".mysql_escape_string($text)."=
'=20
where userid=3D".$forum_preferences->userid; =
=
=20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert.php: $query =3D "update =
post=20
set content =3D '".mysql_escape_string($text)."' where id=3D".$post->id; =
=20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response2.php: $query =
=3D=20
"update profile set response2 =3D '".mysql_escape_string($text)."' where=20
userid=3D".$profile->userid; =20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response1.php: $query =
=3D=20
"update profile set response1 =3D '".mysql_escape_string($text)."' where=20
userid=3D".$profile->userid; =20
./boinc-6.4.5+dfsg/html/user/forum_search_action.php: =20
$search_string.=3Dmysql_escape_string($word)."%"; =
=20
./boinc-6.4.5+dfsg/html/user/forum_search_action.php: =20
$search_string.=3Dmysql_escape_string($word)."%"; =
=20
bulmages: Ren=C3=A9 M=C3=A9rou
./bulmages-0.11.1/bulmages/bulmalib/src/postgresiface2.cpp: PQescapeStr=
ing=20
( buffer, cadena.toAscii().constData(), cadena.toAscii().size() );
clisp: Debian Common Lisp Team
./clisp-2.44.1/modules/postgresql/postgresql.lisp:(def-call-out=20
PQescapeString (:return-type uint)
cvsnt: Andreas Tscharner
./cvsnt-2.5.04.3236/cvsapi/db/mysql/mysql-3.23/mysql.h:unsigned long =20
STDCALL mysql_escape_string(char *to,const char *from, unsigned long=20
from_length);
cyrus-sasl2: Debian Cyrus SASL Team
./cyrus-sasl2-2.1.23.dfsg1/plugins/sql.c: return mysql_escape_string(to=
,=20
from, strlen(from));
./cyrus-sasl2-2.1.23.dfsg1/plugins/sql.c: return PQescapeString(to, fro=
m,=20
strlen(from)); =20
cyrus-sasl2-heimdal: Debian Cyrus SASL Team
./cyrus-sasl2-heimdal-2.1.23.dfsg1/plugins/sql.c: return=20
mysql_escape_string(to, from, strlen(from));
./cyrus-sasl2-heimdal-2.1.23.dfsg1/plugins/sql.c: return=20
PQescapeString(to, from, strlen(from)); =20
dsyslog: William Pitcock
./dsyslog-0.5.0/www/functions.php: return mysql_escape_string($string);
dtc: Thomas Goirand
./dtc-0.29.17/client/webmoney.php: $q =3D "SELECT * FROM=20
$pro_mysql_pay_table WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'";
./dtc-0.29.17/client/webmoney.php: $q =3D "UPDATE=20
$pro_mysql_pay_table SET=20
paiement_type=3D'$paiement_type',secpay_site=3D'$secpay_site',valid=3D'pend=
ing',pending_reason=3D'$reason'=20
WHERE id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=
=20
./dtc-0.29.17/client/webmoney.php: =20
//setPaiemntAsPending(mysql_escape_string($_POST['LMI_PAYMENT_NO']),mysql_e=
scape_string('Payer:=20
'.$_POST['LMI_PAYER_PURSE'].', wmid'.$_POST['LMI_PAYER_WM'])); =
=
=20
./dtc-0.29.17/client/webmoney.php: $q =3D "SELECT * FROM=20
$pro_mysql_pay_table WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=20
./dtc-0.29.17/client/webmoney.php: $total =3D=
=20
mysql_escape_string($_POST['LMI_PAYMENT_AMOUNT']); =
=20
./dtc-0.29.17/client/webmoney.php: =
=20
secpay_custom_id=3D'$secpay_custom_id',valid=3D'yes' WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=
=20
./dtc-0.29.17/client/new_account.php: VALUES ('','".
$_REQUEST["adm_login"]."','','example.com','".=20
mysql_escape_string($client["familyname"]) ."','".=20
mysql_escape_string($client["christname"]) ."', =
=
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["company_name"]) ."','".
$client["is_company"]."','".$client["email"]."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["phone"]) ."','".=20
mysql_escape_string($client["fax"]) ."','".=20
mysql_escape_string($client["addr1"]) ."','".=20
mysql_escape_string($client["addr2"]) ."','".=20
mysql_escape_string($client["addr3"])."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["zipcode"]) ."','".=20
mysql_escape_string($client["city"]) ."','".=20
mysql_escape_string($client["state"]) ."','".$client["country"]."', =
=
=20
./dtc-0.29.17/client/new_account.php: =20
'".mysql_escape_string($_REQUEST["custom_notes"])."','".
$_REQUEST["vps_location"]."','".$_REQUEST["vps_os"]."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["vat_num"]) ."','".
$_SERVER["REMOTE_ADDR"]."','".date("Y-m-d")."','".date("H:i:s")."','yes')";=
=20
./dtc-0.29.17/client/paypal.php: =20
setPaiemntAsPending(mysql_escape_string($item_number),mysql_escape_string($=
_REQUEST["pending_reason"])); =20
./dtc-0.29.17/client/paypal.php: =20
validatePaiement(mysql_escape_string($item_number),
$refund_amount,"online","paypal",mysql_escape_string($_REQUEST["txn_id"]),m=
ysql_escape_string($_REQUEST["mc_gross"])); =
=
=20
fpc: Carlos Laviola
=2E/fpc-2.2.4/fpcsrc/packages/mysql/src/mysql.inc: function=20
mysql_escape_string(fto:Pchar; from:Pchar;=20
from_length:culong):culong;extdecl;external mysqllib name=20
'mysql_escape_string'; =
=
=20
./fpc-2.2.4/fpcsrc/packages/mysql/src/mysql4.pp:function=20
mysql_escape_string(_to:Pchar; from:Pchar;=20
from_length:dword):dword;extdecl;external External_library name=20
'mysql_escape_string'; =
=
=20
./fpc-2.2.4/fpcsrc/packages/mysql/src/mysql3.pp:Function=20
mysql_escape_string(escto,escfrom : pchar; length : Cardinal) :=20
cardinal;extdecl; external mysqllib name 'mysql_escape_string'; =
=
=
=20
./fpc-2.2.4/fpcsrc/packages/postgres/src/postgres3.pp: function=20
PQescapeString(till:Pchar; from:Pchar; length:size_t):size_t;cdecl;external=
=20
External_library name 'PQescapeString'; =
=
=20
freeradius: Stephen Gran
./freeradius-2.1.0+dfsg/dialup_admin/lib/sql/drivers/mysql/functions.php3:=
=20
return @mysql_escape_string($string);
gammu: Michal =C4=8Ciha=C5=99
./gammu-1.24.0/smsd/services/pgsql.c: =20
PQescapeString(buffer4, buffer2, strlen(buffer2));
./gammu-1.24.0/smsd/services/pgsql.c: =20
PQescapeString(buffer5, buffer2, strlen(buffer2));
./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buff=
er5,=20
buffer2, strlen(buffer2)); =20
gnugk: Debian VoIP Team
./gnugk-2.2.8/gksql_pgsql.cxx: =20
PQescapeString(escapedStr.GetPointer(numChars*2+1), str, numChars) + 1
hk-classes: Debian QA Group
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: if=20
(p_mysqldatasource->dbhandler()) mysql_escape_string(p_asstring,data-
>data,data->length);
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: =20
p_driver_specific_data_size=3Dmysql_escape_string(p_driver_specific_data,s.=
c_str(),a); =20
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: =20
p_driver_specific_data_size=3Dmysql_escape_string(p_driver_specific_data,b,=
p_original_new_data_size);
jabberd2: Debian XMPP Maintainers
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =3D=20
PQescapeString(cval, f->val, strlen(f->val));
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =
=3D=20
PQescapeString(cval, (char *) val, strlen((char *) val));
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =
=3D=20
PQescapeString(&cval[3], xml, xlen) + 3; =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(epass, passwor=
d,=20
strlen(password)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
libdbi-drivers: Thomas Goirand
./libdbi-drivers-0.8.2-1/drivers/mysql/dbd_mysql.c: len =3D=20
mysql_escape_string(dest+1, orig, strlen(orig));
./libdbi-drivers-0.8.2-1/drivers/pgsql/dbd_pgsql.c: len =3D=20
PQescapeString(dest+1, orig, strlen(orig)); =20
libgda3: Gustavo R. Montesino
./libgda3-3.0.2/providers/postgres/gda-postgres-provider.c: =20
PQescapeString (dest, str, length);
libpgsql-ruby: Dmitry Borodaenko
NOTE: Does not offer PQescapeStringConn() in etch =20
libpqxx3/libpqxx: Eugene V. Lyubimkin
./libpqxx3-3.0.0/configure.ac:AC_MSG_CHECKING([PQescapeString()])
./libpqxx3-3.0.0/configure.ac: [char c[1];PQescapeString(c,"",0x01)],
./libpqxx3-3.0.0/configure.ac: [Define if libpq has PQescapeString=
()]),
./libpqxx3-3.0.0/configure.ac:You appear to be building with a very old li=
bpq=20
version that does not have
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/include/pqxx/config.h.in:/* Define if libpq has=20
PQescapeString() */ =20
./libpqxx3-3.0.0/configure.ac.in:AC_MSG_CHECKING([PQescapeString()]) =
=20
./libpqxx3-3.0.0/configure.ac.in: [char c[1];PQescapeString(c,"",0x01=
)], =20
./libpqxx3-3.0.0/configure.ac.in: [Define if libpq has=20
PQescapeString()]), =20
./libpqxx3-3.0.0/configure.ac.in:You appear to be building with a very old=
=20
libpq version that does not have
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/src/connection_base.cxx: const size_t bytes =3D=20
PQescapeString(buf.c_ptr(), str, maxlen); =20
./libpqxx3-3.0.0/configure:{ echo "$as_me:$LINENO: checking PQescapeString=
()"=20
>&5 =20
./libpqxx3-3.0.0/configure:echo $ECHO_N "checking PQescapeString()... $ECH=
O_C"=20
>&6; } =20
./libpqxx3-3.0.0/configure:char c[1];PQescapeString(c,"",0x01) =
=20
./libpqxx3-3.0.0/configure:You appear to be building with a very old libpq=
=20
version that does not have =20
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/configure:You appear to be building with a very old libpq=
=20
version that does not have =20
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
libpreludedb: Mickael Profeta
./libpreludedb-0.9.15.3/plugins/sql/mysql/mysql.c: rsize =3D=20
mysql_escape_string((*output) + 1, (const char *) input, input_size);
./libpreludedb-0.9.15.3/plugins/sql/pgsql/pgsql.c: rsize =3D=20
PQescapeString((*output) + 1, input, input_size); =20
libyada: Christoph Berg
./libyada-1.0.2/src/yada_pgsql.c: *dlen =3D PQescapeString(dest, src, sle=
n);
mediawiki: Mediawiki Maintenance Team
./mediawiki-1.15.0/maintenance/namespace2sql.php: $nsname =3D=20
mysql_escape_string( $wgLang->getNsText( $i ) );
./mediawiki-1.15.0/maintenance/namespace2sql.php: $dbname =3D=20
mysql_escape_string( $wgDBname ); =20
mediawiki-metavidwiki: John Ferlito
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$ftq.=3D' '.$aon.'"spoken by '.mysql_escape_string($f['v']).'"';
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$ftq_match.=3D' '.$aon.'"'.mysql_escape_string($f['v']).'"'; =20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$toplq.=3D' '.$aon.'"category '.mysql_escape_string($f['v']).'" ';
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
//$ftq.=3D' '.$aon.'category:'.mysql_escape_string($f['v']); =20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$toplq_cat.=3D" $categoryTable.`cl_to`=3D'".mysql_escape_string($f['v'])."'=
";
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=
=20
=2E mysql_escape_string($sts) . =
=
=20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
' AND `mv_streams`.`date_start_time` < '. mysql_escape_string($ets) . =
=
=20
./mediawiki-
metavidwiki-0.2/includes/MV_MetavidInterface/MV_SequenceTools.php: =
=20
array('`name` LIKE \'%'.mysql_escape_string($val).'%\''), =
=20
./mediawiki-metavidwiki-0.2/includes/specials/MV_SpecialMediaSearch.php: =
=20
'`cl_sortkey` LIKE \'%'.mysql_escape_string($val).'%\' COLLATE=20
latin1_general_ci'), =
=
=20
./mediawiki-metavidwiki-0.2/includes/specials/MV_SpecialMediaSearch.php: =
=20
'`cl_sortkey` LIKE \'%'.mysql_escape_string($val).'%\' COLLATE=20
latin1_general_ci'),
mit-scheme: Chris Hanson
./mit-scheme-7.7.90+20090107/src/microcode/prpgsql.c: (ulong_to_integer=
=20
(PQescapeString ((STRING_ARG (2)),
mnogosearch: Debian QA Group
./mnogosearch-3.3.8/src/sql-mysql.c: mysql_escape_string(to, from, len);
moodle: Moodle Packaging Team
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $id =3D "'" .=20
mysql_escape_string($args["id"]) . "'";
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: mysql_query("UPDATE =
" .=20
EWIKI_DB_TABLE_NAME . " SET hits=3D(hits+1) WHERE pagename=3D'" .=20
mysql_escape_string($args["id"]) . "'"); =
=
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $sql2 .=3D $a . "=
'" .=20
mysql_escape_string($value) . "'"; =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: =20
"(pagename=3D'" . mysql_escape_string($id) . "')"; =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: " WHERE LOCATE('"=
.=20
mysql_escape_string($content) . "', LCASE($field)) " . =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $id =3D=20
mysql_escape_string($args["id"]); =
=20
movabletype-opensource: Dominic Hargreaves
./movabletype-opensource-4.2.6.1/php/extlib/ezsql/ezsql_mysql.php: =
=20
return mysql_escape_string(stripslashes($str));
mysql-ocaml: Samuel Mimram
./mysql-ocaml-1.0.4/mysql_stubs.c: esclen =3D mysql_escape_string(buf,s,l=
en);
neko: Jens Peter Secher
./neko-1.8.1/libs/mysql/my_proto/my_api.c:int mysql_escape_string( MYSQL *=
m,=20
char *sout, const char *sin, int length ) {
./neko-1.8.1/libs/mysql/my_proto/mysql.h:int mysql_escape_string( MYSQL *m=
,=20
char *sout, const char *sin, int length ); =20
nepenthes: Luciano Bello
./nepenthes-0.2.2/modules/sqlhandler-postgres/sqlhandler-postgres.cpp: siz=
e =3D=20
PQescapeString(escaped,str->c_str(),str->size());
netmrg: Uwe Steinmann
./netmrg-0.20/src/db.cpp: mysql_escape_string(raw_output, input.c_str=
(),=20
input.length());
./netmrg-0.20/www/lib/database.php: return mysql_escape_string($string)=
; =20
ocsinventory-server: Pierre Chifflier
./ocsinventory-server-1.02.1/ocsreports/header.php: $req=3D"SEL=
ECT=20
id, accesslvl, passwd FROM operators WHERE=20
id=3D'".mysql_escape_string($_POST["login"])."'";
./ocsinventory-server-1.02.1/ocsreports/download.php: $dlQuery .=
=3D=20
"files WHERE name=3D'".mysql_escape_string($_GET["n"])."' AND=20
os=3D'".mysql_escape_string($_GET["o"])."' AND=20
version=3D'".mysql_escape_string($_GET["v"])."'"; =
=
=20
onak: Jonathan McDowell
./onak-0.3.7/keydb_pg.c: PQescapeString(newsearch, search,=20
strlen(search));
./onak-0.3.7/keydb_pg.c: =20
PQescapeString(safeuid, uids[i],
parrot: Debian Parrot Maintainers
./parrot-1.4.0/config/gen/call_list/misc.in:l ttl # unsigned long=20
mysql_escape_string(char *to,const char *from, unsigned long from_length)
parser-mysql: Sergey B Kirpichev
./parser-mysql-10.1/parser3mysql.C: mysql_escape_string(result,=
=20
from, length);
pgadmin3: Raphael Enrici
./pgadmin3-1.10.0/pgadmin/utils/tabcomplete.c: PQescapeString(e_text, text=
,=20
string_length);
./pgadmin3-1.10.0/pgadmin/utils/tabcomplete.c: =20
PQescapeString(e_addon, addon, strlen(addon));
pgpool2: Peter Eisentraut
./pgpool2-2.2.3/pool_query_cache.c: escaped_query_len =
=3D=20
PQescapeString(escaped_query, query_cache_info->query,=20
strlen(query_cache_info->query));
pgtcl: Martin Pitt
./pgtcl-1.5/generic/pgtclCmds.c: stringSize =3D PQescapeString=20
(toString+1, fromString, fromStringLen);
php-getid3: Romain Beauxis
./php-getid3-1.7.9/getid3/extension.cache.mysql.php: =20
$filenam2 =3D mysql_escape_string($filename);
./php-getid3-1.7.9/getid3/extension.cache.mysql.php: $re=
s2=20
=3D mysql_escape_string(serialize($result));
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`filename` =3D "'.mysql_escape_string($from).'")';
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WHERE=20
(`filename` =3D "'.mysql_escape_string($filename).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' WHERE (`filename` =3D=20
"'.mysql_escape_string($row['filename']).'")';
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE `filename` LIKE "'.mysql_escape_string($row['filename']).'"'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`LastModified` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['file_modified_time']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_file` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_file']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_data` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_data']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_data_source` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_data_source']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`filesize` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['filesize']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`fileformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['fileformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`audio_dataformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['audio']['dataformat']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`video_dataformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['video']['dataformat']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`audio_bitrate` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['audio']['bitrate'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`video_bitrate` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['video']['bitrate'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`playtime_seconds` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['playtime_seconds'])).'", ';=
=
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`tags` =3D "'.mysql_escape_string(@implode("\t",=20
@array_keys(@$ThisFileInfo['tags']))).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`artist` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['artist'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`title` =3D "'.mysql_escape_string($this_track_title).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`remix` =3D "'.mysql_escape_string($this_track_remix).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`album` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['album'])).'", ';=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`genre` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['genre'])).'", ';=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comment` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['comment'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`track` =3D "'.mysql_escape_string($this_track_track).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_all` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['comments'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_id3v2` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['id3v2'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_ape` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['ape'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_lyrics3` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['lyrics3'])).'", '=
; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_id3v1` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['id3v1'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`warning` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['warning'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`error` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['error'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`encoder_options` =3D=20
"'.mysql_escape_string(trim(@$ThisFileInfo['audio']['encoder'].'=20
'.@$ThisFileInfo['audio']['encoder_options'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`vbr_method` =3D "'.mysql_escape_string(@$ThisFileInfo['mpe=
g']
['audio']['VBR_method']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`track_volume` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['replay_gain']['track']
['volume'])).'" '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D 'WHERE (`filename` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['filenamepath']).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['filenamepath']).'", =
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['file_modified_time']=
).'",=20
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_file']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_data']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_data_source']).'=
", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['filesize']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['fileformat']).'", ';=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['audio']
['dataformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['video']
['dataformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['audio']
['bitrate'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['video']
['bitrate'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D=20
'"'.mysql_escape_string(floatval(@$ThisFileInfo['playtime_seconds'])).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@array_keys(@$ThisFileInfo['tags']))).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['artist'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_title).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_remix).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['album'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['genre'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['comment'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_track).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D=20
'"'.mysql_escape_string(@serialize(@$ThisFileInfo['comments'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['id3v2'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['ape'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['lyrics3'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['id3v1'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['warning'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['error'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(trim(@$ThisFileInfo['audio']['encode=
r'].'=20
'.@$ThisFileInfo['audio']['encoder_options'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(!empty($ThisFileInfo['mpeg']['audio']
['LAME']) ? 'LAME' : @$ThisFileInfo['mpeg']['audio']['VBR_method']).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['replay_gain=
']
['track']['volume'])).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' WHERE (`filename` =3D=20
"'.mysql_escape_string($row['filename']).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`filename` =3D "'.mysql_escape_string($row['filename']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
`filename` LIKE "'.mysql_escape_string($row['filename']).'"'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`filename` =3D "'.mysql_escape_string($row['filename']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`encoder_options` =3D=20
"'.mysql_escape_string($_REQUEST['encodedbydistribution']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`encoder_options` LIKE "'.mysql_escape_string($_REQUEST['showtagfiles']).'=
")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`tags` LIKE "'.mysql_escape_string($_REQUEST['showtagfiles']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`md5_data` =3D "'.mysql_escape_string($row['md5_data']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`artist` =3D "'.mysql_escape_string($_REQUEST['m3uartist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' AN=
D=20
(`title` =3D "'.mysql_escape_string($_REQUEST['m3utitle']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`artist` =3D "'.mysql_escape_string($row['artist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
AND (`title` =3D "'.mysql_escape_string($row['title']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' AND (`remix` =3D "'.mysql_escape_string($row['remix']).'")=
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`artist` =3D "'.mysql_escape_string($row['artist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
AND (`title` =3D "'.mysql_escape_string($row['title']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WHERE=20
(`fileformat` =3D "'.mysql_escape_string($fileformat).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' AND=20
(`audio_dataformat` =3D "'.mysql_escape_string($audioformat).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`genre` LIKE=20
"'.mysql_escape_string($_REQUEST['genredistribution']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`vbr_method` =3D "'.mysql_escape_string($_REQUEST['vbrmethod']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mp3header.php: return=20
mysql_escape_string($text); =
=20
phpwiki: Matt Brown
./phpwiki-1.3.14/lib/pear/DB/mysql.php: return=20
@mysql_escape_string($str);
pixelpost: Xavier Luthi
./pixelpost-1.7.1/includes/functions.php: if=20
(version_compare($phpver,"4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/includes/functions.php: if=20
(version_compare($phpver,"4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/includes/functions.php: =20
if(version_compare($phpver, "4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/admin/comments.php: $banlist =3D=20
mysql_escape_string($banlist); =
=20
./pixelpost-1.7.1/admin/comments.php: $banlist =3D=20
mysql_escape_string($banlist); =
=20
./pixelpost-1.7.1/addons/admin_ping.php: =20
if(version_compare(phpversion(),"4.3.0")=3D=3D"-1") $pinglist =3D=20
mysql_escape_string($pinglist); =20
postgresql-ocaml: Debian OCaml Maintainers
./postgresql-ocaml-1.10.3/lib/postgresql_stubs.c: return=20
Val_int(PQescapeString(String_val(v_to) + Int_val(v_pos_to),
String_val(v_from) + Int_val(v_pos_from), =
=20
Int_val(v_len))); =
=20
prokyon3: Debian QA Group
./prokyon3-0.9.6/sql++/sql_query.cc: =20
mysql_escape_string(s,const_cast(S.c_str()),S.size());
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() );
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in), size); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() );
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size()); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in), size); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size() ); =20
psycopg2: Fabio Tranchitella
./psycopg2-2.0.8/psycopg/adapter_qstring.c: return PQescapeString(t=
o,=20
from, len);
pvpgn: Radu Spineanu
./pvpgn-1.8.1/build-tree/pvpgn-1.8.1/src/bnetd/sql_pgsql.c: =20
PQescapeString(escape, from, len);
pygresql: Matthias Klose
./pygresql-4.0/pgmodule.c: to_length =3D (int)PQescapeString(to, from,=
=20
(size_t)from_length);
python-mysqldb: Debian Python Modules Team
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string(out, in=
,=20
size); =20
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string=
(out,=20
in, size);
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string(out+1, =
in,=20
size); =20
./python-mysqldb-1.2.2/_mysql.c: len =3D=20
mysql_escape_string(out+1, in, size);
./python-mysqldb-1.2.2/doc/MySQLdb.txt: ``mysql_escape_string()`` =
=20
``_mysql.escape_string()``
qt-x11-free: Debian Qt/KDE Maintainers
./qt-x11-free-3.3.8-b/src/sql/drivers/mysql/qsql_mysql.cpp: /*uint=
=20
escapedSize =3D*/ mysql_escape_string( buffer, ba.data(), ba.size() );
ratbox-services: Arnaud Cornet
./ratbox-services-1.2.1/build-tree/ratbox-services-1.2.1/src/rsdb_pgsql.c:=
=20
PQescapeString(buf, src, length);
redland: Dave Beckett
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_name,(const char*)name, strlen(name));
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_uri,(const char*)uri, nodelen); =20
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_value, (const char*)value, valuelen);
./redland-1.0.9/src/rdf_storage_postgresql.c: PQescapeString(=20
escaped_lang, (const char*)lang, langlen);
./redland-1.0.9/src/rdf_storage_postgresql.c: PQescapeString(=
=20
escaped_datatype, (const char*)datatype, datatypelen);
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_name,(const char*)name, nodelen); =
=20
root-system: Christian Holm Christensen
./root-system-5.18.00/pgsql/src/TPgSQLStatement.cxx: mxsz=3DPQescapeStri=
ng=20
(mptr,(char*)mem,sz);
rpm2html: Michal =C4=8Ciha=C5=99
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len=
);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len=
);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value,=
=20
len);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len); =
=20
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len); =
=20
scuttle: Marcelo Jorge Vieira (metal)
./scuttle-0.7.4/includes/db/mysqli.php: return=20
mysql_escape_string($msg);
./scuttle-0.7.4/includes/db/mysql.php: return=20
mysql_escape_string($msg); =20
./scuttle-0.7.4/includes/db/mysql4.php: return=20
mysql_escape_string($msg);
ser: Debian VoIP Team
./ser-2.0.0/modules/mysql/val.c: _s +=3D=20
mysql_escape_string(_s, VAL_STR(_v).s, l);
sitebar: Carlos Eduardo Sotelo Pinto (krlos)
./sitebar-3.3.9/inc/database.inc.php: return=20
mysql_escape_string(str_replace('\\0','\\\\0',$str));
snort: Javier Fernandez-Sanguino Pen~a
./snort-2.8.4.1/src/win32/WIN32-Includes/mysql/mysql.h:unsigned long =20
STDCALL mysql_escape_string(char *to,const char *from,
unsigned long from_length); =
=20
spl: Gerfried Fuchs
./spl-1.0~pre5/spl_modules/mod_sql_mysql.c: int newtext_len =3D=20
mysql_escape_string(newtext+1, text, text_len);
sqlrelay: Debian QA Group
./sqlrelay-0.39.4/src/api/mysql/mysql.C:unsigned long=20
mysql_escape_string(char *to, const char *from,
unsigned long length); =
=20
./sqlrelay-0.39.4/src/api/mysql/mysql.C:unsigned long=20
mysql_escape_string(char *to, const char *from,
unsigned long length) { =
=20
./sqlrelay-0.39.4/src/api/postgresql/pqescape.C:size_t PQescapeString(char=
=20
*to, const char *from, size_t length) {
./sqlrelay-0.39.4/test/dropin/postgresql.C: =20
checkSuccess(PQescapeString(to,from,strlen(from)),7); =20
./sqlrelay-0.39.4/test/dropin/mysql.C:=20
checkSuccess(mysql_escape_string(to,from,15),21); =
=20
./sqlrelay-0.39.4/TODO: =20
(mysql_escape_string()/mysql_real_escape_string()) =
=20
stardict-tools: Jose Carlos Medeiros
./stardict-tools-3.0.1/src/tabfile2sql.cpp: mysql_escape_string(word_bu=
f,=20
word, word_len);
./stardict-tools-3.0.1/src/tabfile2sql.cpp: =20
mysql_escape_string(meaning_buf, meaning, meaning_len);
symfony: Martin Meredith
./symfony-1.0.20/lib/vendor/propel-
generator/templates/sql/load/mysql/val.tpl: print "'" .=20
mysql_escape_string($column->getValue()) . "'";
./symfony-1.0.20/lib/vendor/propel-
generator/classes/propel/engine/platform/MysqlPlatform.php: return=
=20
mysql_escape_string($text); =20
texfam: TSUCHIYA Masatoshi
./texfam-1.2.1/build-tree/teTeX-1.0/libs/libwww/HTSQL.c: =
=20
mysql_escape_string(q, cp, strlen(cp));
typo3-src: Christian Welzel
./typo3-src-4.2.6/ChangeLog: * Update for bug #1354: Use=20
mysql_escape_string() with PHP 4.1.x
ulogd: Achilleas Kotsis
./ulogd-1.24/mysql/ulogd_MYSQL.c: =20
mysql_escape_string(stmt_ins, tmpstr,
strlen(tmpstr))=
; =20
./ulogd-1.24/mysql/ulogd_MYSQL.c: =20
mysql_escape_string(stmt_ins, res->value.ptr,
strlen(res->value.ptr)); =
=20
./ulogd-1.24/debian/patches/strfix.patch:- =20
mysql_escape_string(stmt_ins, tmpstr, =20
- strlen(tmpstr)); =
=20
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
mysql_escape_string(stmt_ins, tmpstr,
+ strlen(tmpstr))=
; =20
./ulogd-1.24/debian/patches/strfix.patch:- =20
mysql_escape_string(stmt_ins, res->value.ptr,
- strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
mysql_escape_string(stmt_ins, res->value.ptr,
+ strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:- =20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/debian/patches/strfix.patch:- =20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
./ulogd-1.24/pgsql/ulogd_PGSQL.c: =20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/pgsql/ulogd_PGSQL.c: =20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
w3c-libwww: Richard Atterer
./w3c-libwww-5.4.0/Library/src/HTSQL.c: =20
mysql_escape_string(q, cp, strlen(cp));
webcalendar: WebCalendar Debian package development
./webcalendar-1.2.0+dfsg/includes/dbi4php.php: : mysql_escape_str=
ing=20
( $string ) ) );
webissues-server: Patrick Matth=C3=A4i
./webissues-server-0.8.4/include/database-mysql.inc.php: return=
=20
"'" . mysql_escape_string( $arg ) . "'";
wzdftpd: Pierre Chifflier
./wzdftpd-0.8.3/backends/pgsql/libpgsql_main.c:/** \todo XXX FIXME use=20
PQescapeString() */
xindy: J=C3=B6rg Sommer
./xindy-2.3/rte/clisp-2.43/modules/postgresql/postgresql.lisp:(def-call-ou=
t=20
PQescapeString (:return-type uint)
zoneminder: Peter Howard
./zoneminder-1.24.1/web/includes/database.php: return(=20
mysql_escape_string( stripslashes( $string ) ) );
./zoneminder-1.24.1/web/includes/database.php: return(=20
mysql_escape_string( $string ) );
zoph: Edelhard Becker
./zoph-0.7.5/php/database.inc.php: return mysql_escape_string($str);
./zoph-0.7.5/contrib/zoph-0.3.3.postgres.diff:- return=20
mysql_escape_string($str);
./zoph-0.7.5/contrib/zoph-0.3.3.postgres.diff:+ return=20
mysql_escape_string($str);
We had a few issues in the past with insufficient database escaping, which =
lead=20
to possible SQL injections due to the use of the deprecated functions=20
mysql_escape_string() and PQescapeString().
These functions do not take the encoding of the established connection into=
=20
account, which can lead to insufficient escaping, if the encoding of this=20
connection can be set to certain multibyte character encodings (such as GBK=
).
I found the explanation given in this email[0] quite useful to elaborate on=
=20
the thread.
In order to prevent this issue, the new functions mysql_real_escape_string()
[1] and PQescapeStringConn()[2] have been added, which honour the specific=
=20
encoding of the connection.
Thanks to Kees, I have prepared a list of packages (below) that are still=20
using the deprecated functions. Apologies for all false-positives, I've tri=
ed=20
to eliminate as many as possible. If you find your package in the list belo=
w,=20
please have a look at the code and check, if you can change to the new=20
functions.=20
You are likely vulnerable to an SQL injection attack, if you only rely on t=
he=20
deprecated functions for escaping (or have some self-made escaping for that=
=20
matter) AND if it is possible to set the client encoding.
If other encodings, such as UTF-8, are used, you are not vulnerable, so che=
ck=20
that as well, please.
In the near future, I will try to do the archive scan again and file bugs w=
ith=20
severity "normal" for the packages below that are still relying on the=20
deprecated functions. (Should they be found vulnerable, the severity will b=
e=20
raised of course).
If you are in doubt about anything or if you found that your package is=20
vulnerable, please contact the security team (team@security.debian.org).
Cheers
Steffen
[0]: http://www.mail-archive.com/pgsql-hackers@postgresql.org/msg71061.html
[1]: http://dev.mysql.com/doc/refman/5.0/es/mysql-real-escape-string.html
[2]: http://www.postgresql.org/docs/8.4/static/libpq-exec.html
ampache: Charlie Smotherman =
=20
./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $file=
nam2=20
=3D mysql_escape_string($filename); =20
./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $res2=
=3D=20
mysql_escape_string(serialize($result)); =20
asterisk-addons: Debian VoIP Team
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(clid, cdr->clid, strlen(cdr->clid));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dcontext, cdr->dcontext, strlen(cdr->dcontext));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(channel, cdr->channel, strlen(cdr->channel)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dstchannel, cdr->dstchannel, strlen(cdr->dstchannel));
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(lastapp, cdr->lastapp, strlen(cdr->lastapp)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(lastdata, cdr->lastdata, strlen(cdr->lastdata)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(src, cdr->src, strlen(cdr->src)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(dst, cdr->dst, strlen(cdr->dst)); =20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(accountcode, cdr->accountcode, strlen(cdr->accountcode)=
);
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(uniqueid, cdr->uniqueid, strlen(cdr->uniqueid)); =
=20
./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: =20
mysql_escape_string(userfielddata, cdr->userfield, strlen(cdr->userfield));=
=20
b2evolution: Xavier Luthi
./b2evolution-2.4.7/blogs/inc/_core/model/db/_db.class.php: ret=
urn=20
mysql_escape_string( $unescaped_string );
boinc: Debian BOINC Maintainers
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_signature.php: $query =
=3D=20
"update forum_preferences set signature =3D '".mysql_escape_string($text)."=
'=20
where userid=3D".$forum_preferences->userid; =
=
=20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert.php: $query =3D "update =
post=20
set content =3D '".mysql_escape_string($text)."' where id=3D".$post->id; =
=20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response2.php: $query =
=3D=20
"update profile set response2 =3D '".mysql_escape_string($text)."' where=20
userid=3D".$profile->userid; =20
./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response1.php: $query =
=3D=20
"update profile set response1 =3D '".mysql_escape_string($text)."' where=20
userid=3D".$profile->userid; =20
./boinc-6.4.5+dfsg/html/user/forum_search_action.php: =20
$search_string.=3Dmysql_escape_string($word)."%"; =
=20
./boinc-6.4.5+dfsg/html/user/forum_search_action.php: =20
$search_string.=3Dmysql_escape_string($word)."%"; =
=20
bulmages: Ren=C3=A9 M=C3=A9rou
./bulmages-0.11.1/bulmages/bulmalib/src/postgresiface2.cpp: PQescapeStr=
ing=20
( buffer, cadena.toAscii().constData(), cadena.toAscii().size() );
clisp: Debian Common Lisp Team
./clisp-2.44.1/modules/postgresql/postgresql.lisp:(def-call-out=20
PQescapeString (:return-type uint)
cvsnt: Andreas Tscharner
./cvsnt-2.5.04.3236/cvsapi/db/mysql/mysql-3.23/mysql.h:unsigned long =20
STDCALL mysql_escape_string(char *to,const char *from, unsigned long=20
from_length);
cyrus-sasl2: Debian Cyrus SASL Team
./cyrus-sasl2-2.1.23.dfsg1/plugins/sql.c: return mysql_escape_string(to=
,=20
from, strlen(from));
./cyrus-sasl2-2.1.23.dfsg1/plugins/sql.c: return PQescapeString(to, fro=
m,=20
strlen(from)); =20
cyrus-sasl2-heimdal: Debian Cyrus SASL Team
./cyrus-sasl2-heimdal-2.1.23.dfsg1/plugins/sql.c: return=20
mysql_escape_string(to, from, strlen(from));
./cyrus-sasl2-heimdal-2.1.23.dfsg1/plugins/sql.c: return=20
PQescapeString(to, from, strlen(from)); =20
dsyslog: William Pitcock
./dsyslog-0.5.0/www/functions.php: return mysql_escape_string($string);
dtc: Thomas Goirand
./dtc-0.29.17/client/webmoney.php: $q =3D "SELECT * FROM=20
$pro_mysql_pay_table WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'";
./dtc-0.29.17/client/webmoney.php: $q =3D "UPDATE=20
$pro_mysql_pay_table SET=20
paiement_type=3D'$paiement_type',secpay_site=3D'$secpay_site',valid=3D'pend=
ing',pending_reason=3D'$reason'=20
WHERE id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=
=20
./dtc-0.29.17/client/webmoney.php: =20
//setPaiemntAsPending(mysql_escape_string($_POST['LMI_PAYMENT_NO']),mysql_e=
scape_string('Payer:=20
'.$_POST['LMI_PAYER_PURSE'].', wmid'.$_POST['LMI_PAYER_WM'])); =
=
=20
./dtc-0.29.17/client/webmoney.php: $q =3D "SELECT * FROM=20
$pro_mysql_pay_table WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=20
./dtc-0.29.17/client/webmoney.php: $total =3D=
=20
mysql_escape_string($_POST['LMI_PAYMENT_AMOUNT']); =
=20
./dtc-0.29.17/client/webmoney.php: =
=20
secpay_custom_id=3D'$secpay_custom_id',valid=3D'yes' WHERE=20
id=3D'".mysql_escape_string($_POST['LMI_PAYMENT_NO'])."'"; =
=
=20
./dtc-0.29.17/client/new_account.php: VALUES ('','".
$_REQUEST["adm_login"]."','','example.com','".=20
mysql_escape_string($client["familyname"]) ."','".=20
mysql_escape_string($client["christname"]) ."', =
=
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["company_name"]) ."','".
$client["is_company"]."','".$client["email"]."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["phone"]) ."','".=20
mysql_escape_string($client["fax"]) ."','".=20
mysql_escape_string($client["addr1"]) ."','".=20
mysql_escape_string($client["addr2"]) ."','".=20
mysql_escape_string($client["addr3"])."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["zipcode"]) ."','".=20
mysql_escape_string($client["city"]) ."','".=20
mysql_escape_string($client["state"]) ."','".$client["country"]."', =
=
=20
./dtc-0.29.17/client/new_account.php: =20
'".mysql_escape_string($_REQUEST["custom_notes"])."','".
$_REQUEST["vps_location"]."','".$_REQUEST["vps_os"]."', =
=20
./dtc-0.29.17/client/new_account.php: '".=20
mysql_escape_string($client["vat_num"]) ."','".
$_SERVER["REMOTE_ADDR"]."','".date("Y-m-d")."','".date("H:i:s")."','yes')";=
=20
./dtc-0.29.17/client/paypal.php: =20
setPaiemntAsPending(mysql_escape_string($item_number),mysql_escape_string($=
_REQUEST["pending_reason"])); =20
./dtc-0.29.17/client/paypal.php: =20
validatePaiement(mysql_escape_string($item_number),
$refund_amount,"online","paypal",mysql_escape_string($_REQUEST["txn_id"]),m=
ysql_escape_string($_REQUEST["mc_gross"])); =
=
=20
fpc: Carlos Laviola
=2E/fpc-2.2.4/fpcsrc/packages/mysql/src/mysql.inc: function=20
mysql_escape_string(fto:Pchar; from:Pchar;=20
from_length:culong):culong;extdecl;external mysqllib name=20
'mysql_escape_string'; =
=
=20
./fpc-2.2.4/fpcsrc/packages/mysql/src/mysql4.pp:function=20
mysql_escape_string(_to:Pchar; from:Pchar;=20
from_length:dword):dword;extdecl;external External_library name=20
'mysql_escape_string'; =
=
=20
./fpc-2.2.4/fpcsrc/packages/mysql/src/mysql3.pp:Function=20
mysql_escape_string(escto,escfrom : pchar; length : Cardinal) :=20
cardinal;extdecl; external mysqllib name 'mysql_escape_string'; =
=
=
=20
./fpc-2.2.4/fpcsrc/packages/postgres/src/postgres3.pp: function=20
PQescapeString(till:Pchar; from:Pchar; length:size_t):size_t;cdecl;external=
=20
External_library name 'PQescapeString'; =
=
=20
freeradius: Stephen Gran
./freeradius-2.1.0+dfsg/dialup_admin/lib/sql/drivers/mysql/functions.php3:=
=20
return @mysql_escape_string($string);
gammu: Michal =C4=8Ciha=C5=99
./gammu-1.24.0/smsd/services/pgsql.c: =20
PQescapeString(buffer4, buffer2, strlen(buffer2));
./gammu-1.24.0/smsd/services/pgsql.c: =20
PQescapeString(buffer5, buffer2, strlen(buffer2));
./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buff=
er5,=20
buffer2, strlen(buffer2)); =20
gnugk: Debian VoIP Team
./gnugk-2.2.8/gksql_pgsql.cxx: =20
PQescapeString(escapedStr.GetPointer(numChars*2+1), str, numChars) + 1
hk-classes: Debian QA Group
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: if=20
(p_mysqldatasource->dbhandler()) mysql_escape_string(p_asstring,data-
>data,data->length);
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: =20
p_driver_specific_data_size=3Dmysql_escape_string(p_driver_specific_data,s.=
c_str(),a); =20
./hk-classes-0.8.3/hk_mysqlclasses/hk_mysqlcolumn.cpp: =20
p_driver_specific_data_size=3Dmysql_escape_string(p_driver_specific_data,b,=
p_original_new_data_size);
jabberd2: Debian XMPP Maintainers
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =3D=20
PQescapeString(cval, f->val, strlen(f->val));
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =
=3D=20
PQescapeString(cval, (char *) val, strlen((char *) val));
./jabberd2-2.2.8/storage/storage_pgsql.c: vlen =
=3D=20
PQescapeString(&cval[3], xml, xlen) + 3; =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(epass, passwor=
d,=20
strlen(password)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(euser, iuser,=
=20
strlen(iuser)); =20
./jabberd2-2.2.8/storage/authreg_pgsql.c: PQescapeString(erealm, irealm=
,=20
strlen(irealm)); =20
libdbi-drivers: Thomas Goirand
./libdbi-drivers-0.8.2-1/drivers/mysql/dbd_mysql.c: len =3D=20
mysql_escape_string(dest+1, orig, strlen(orig));
./libdbi-drivers-0.8.2-1/drivers/pgsql/dbd_pgsql.c: len =3D=20
PQescapeString(dest+1, orig, strlen(orig)); =20
libgda3: Gustavo R. Montesino
./libgda3-3.0.2/providers/postgres/gda-postgres-provider.c: =20
PQescapeString (dest, str, length);
libpgsql-ruby: Dmitry Borodaenko
NOTE: Does not offer PQescapeStringConn() in etch =20
libpqxx3/libpqxx: Eugene V. Lyubimkin
./libpqxx3-3.0.0/configure.ac:AC_MSG_CHECKING([PQescapeString()])
./libpqxx3-3.0.0/configure.ac: [char c[1];PQescapeString(c,"",0x01)],
./libpqxx3-3.0.0/configure.ac: [Define if libpq has PQescapeString=
()]),
./libpqxx3-3.0.0/configure.ac:You appear to be building with a very old li=
bpq=20
version that does not have
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/include/pqxx/config.h.in:/* Define if libpq has=20
PQescapeString() */ =20
./libpqxx3-3.0.0/configure.ac.in:AC_MSG_CHECKING([PQescapeString()]) =
=20
./libpqxx3-3.0.0/configure.ac.in: [char c[1];PQescapeString(c,"",0x01=
)], =20
./libpqxx3-3.0.0/configure.ac.in: [Define if libpq has=20
PQescapeString()]), =20
./libpqxx3-3.0.0/configure.ac.in:You appear to be building with a very old=
=20
libpq version that does not have
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/src/connection_base.cxx: const size_t bytes =3D=20
PQescapeString(buf.c_ptr(), str, maxlen); =20
./libpqxx3-3.0.0/configure:{ echo "$as_me:$LINENO: checking PQescapeString=
()"=20
>&5 =20
./libpqxx3-3.0.0/configure:echo $ECHO_N "checking PQescapeString()... $ECH=
O_C"=20
>&6; } =20
./libpqxx3-3.0.0/configure:char c[1];PQescapeString(c,"",0x01) =
=20
./libpqxx3-3.0.0/configure:You appear to be building with a very old libpq=
=20
version that does not have =20
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
./libpqxx3-3.0.0/configure:You appear to be building with a very old libpq=
=20
version that does not have =20
PQescapeString(). This can cause serious problems when non-ASCII data is=
=20
used =20
libpreludedb: Mickael Profeta
./libpreludedb-0.9.15.3/plugins/sql/mysql/mysql.c: rsize =3D=20
mysql_escape_string((*output) + 1, (const char *) input, input_size);
./libpreludedb-0.9.15.3/plugins/sql/pgsql/pgsql.c: rsize =3D=20
PQescapeString((*output) + 1, input, input_size); =20
libyada: Christoph Berg
./libyada-1.0.2/src/yada_pgsql.c: *dlen =3D PQescapeString(dest, src, sle=
n);
mediawiki: Mediawiki Maintenance Team
./mediawiki-1.15.0/maintenance/namespace2sql.php: $nsname =3D=20
mysql_escape_string( $wgLang->getNsText( $i ) );
./mediawiki-1.15.0/maintenance/namespace2sql.php: $dbname =3D=20
mysql_escape_string( $wgDBname ); =20
mediawiki-metavidwiki: John Ferlito
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$ftq.=3D' '.$aon.'"spoken by '.mysql_escape_string($f['v']).'"';
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$ftq_match.=3D' '.$aon.'"'.mysql_escape_string($f['v']).'"'; =20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$toplq.=3D' '.$aon.'"category '.mysql_escape_string($f['v']).'" ';
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
//$ftq.=3D' '.$aon.'category:'.mysql_escape_string($f['v']); =20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
$toplq_cat.=3D" $categoryTable.`cl_to`=3D'".mysql_escape_string($f['v'])."'=
";
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=
=20
=2E mysql_escape_string($sts) . =
=
=20
./mediawiki-metavidwiki-0.2/includes/MV_Index.php: =
=20
' AND `mv_streams`.`date_start_time` < '. mysql_escape_string($ets) . =
=
=20
./mediawiki-
metavidwiki-0.2/includes/MV_MetavidInterface/MV_SequenceTools.php: =
=20
array('`name` LIKE \'%'.mysql_escape_string($val).'%\''), =
=20
./mediawiki-metavidwiki-0.2/includes/specials/MV_SpecialMediaSearch.php: =
=20
'`cl_sortkey` LIKE \'%'.mysql_escape_string($val).'%\' COLLATE=20
latin1_general_ci'), =
=
=20
./mediawiki-metavidwiki-0.2/includes/specials/MV_SpecialMediaSearch.php: =
=20
'`cl_sortkey` LIKE \'%'.mysql_escape_string($val).'%\' COLLATE=20
latin1_general_ci'),
mit-scheme: Chris Hanson
./mit-scheme-7.7.90+20090107/src/microcode/prpgsql.c: (ulong_to_integer=
=20
(PQescapeString ((STRING_ARG (2)),
mnogosearch: Debian QA Group
./mnogosearch-3.3.8/src/sql-mysql.c: mysql_escape_string(to, from, len);
moodle: Moodle Packaging Team
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $id =3D "'" .=20
mysql_escape_string($args["id"]) . "'";
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: mysql_query("UPDATE =
" .=20
EWIKI_DB_TABLE_NAME . " SET hits=3D(hits+1) WHERE pagename=3D'" .=20
mysql_escape_string($args["id"]) . "'"); =
=
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $sql2 .=3D $a . "=
'" .=20
mysql_escape_string($value) . "'"; =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: =20
"(pagename=3D'" . mysql_escape_string($id) . "')"; =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: " WHERE LOCATE('"=
.=20
mysql_escape_string($content) . "', LCASE($field)) " . =
=20
./moodle-1.9.4.dfsg/mod/wiki/ewiki/ewiki.php: $id =3D=20
mysql_escape_string($args["id"]); =
=20
movabletype-opensource: Dominic Hargreaves
./movabletype-opensource-4.2.6.1/php/extlib/ezsql/ezsql_mysql.php: =
=20
return mysql_escape_string(stripslashes($str));
mysql-ocaml: Samuel Mimram
./mysql-ocaml-1.0.4/mysql_stubs.c: esclen =3D mysql_escape_string(buf,s,l=
en);
neko: Jens Peter Secher
./neko-1.8.1/libs/mysql/my_proto/my_api.c:int mysql_escape_string( MYSQL *=
m,=20
char *sout, const char *sin, int length ) {
./neko-1.8.1/libs/mysql/my_proto/mysql.h:int mysql_escape_string( MYSQL *m=
,=20
char *sout, const char *sin, int length ); =20
nepenthes: Luciano Bello
./nepenthes-0.2.2/modules/sqlhandler-postgres/sqlhandler-postgres.cpp: siz=
e =3D=20
PQescapeString(escaped,str->c_str(),str->size());
netmrg: Uwe Steinmann
./netmrg-0.20/src/db.cpp: mysql_escape_string(raw_output, input.c_str=
(),=20
input.length());
./netmrg-0.20/www/lib/database.php: return mysql_escape_string($string)=
; =20
ocsinventory-server: Pierre Chifflier
./ocsinventory-server-1.02.1/ocsreports/header.php: $req=3D"SEL=
ECT=20
id, accesslvl, passwd FROM operators WHERE=20
id=3D'".mysql_escape_string($_POST["login"])."'";
./ocsinventory-server-1.02.1/ocsreports/download.php: $dlQuery .=
=3D=20
"files WHERE name=3D'".mysql_escape_string($_GET["n"])."' AND=20
os=3D'".mysql_escape_string($_GET["o"])."' AND=20
version=3D'".mysql_escape_string($_GET["v"])."'"; =
=
=20
onak: Jonathan McDowell
./onak-0.3.7/keydb_pg.c: PQescapeString(newsearch, search,=20
strlen(search));
./onak-0.3.7/keydb_pg.c: =20
PQescapeString(safeuid, uids[i],
parrot: Debian Parrot Maintainers
./parrot-1.4.0/config/gen/call_list/misc.in:l ttl # unsigned long=20
mysql_escape_string(char *to,const char *from, unsigned long from_length)
parser-mysql: Sergey B Kirpichev
./parser-mysql-10.1/parser3mysql.C: mysql_escape_string(result,=
=20
from, length);
pgadmin3: Raphael Enrici
./pgadmin3-1.10.0/pgadmin/utils/tabcomplete.c: PQescapeString(e_text, text=
,=20
string_length);
./pgadmin3-1.10.0/pgadmin/utils/tabcomplete.c: =20
PQescapeString(e_addon, addon, strlen(addon));
pgpool2: Peter Eisentraut
./pgpool2-2.2.3/pool_query_cache.c: escaped_query_len =
=3D=20
PQescapeString(escaped_query, query_cache_info->query,=20
strlen(query_cache_info->query));
pgtcl: Martin Pitt
./pgtcl-1.5/generic/pgtclCmds.c: stringSize =3D PQescapeString=20
(toString+1, fromString, fromStringLen);
php-getid3: Romain Beauxis
./php-getid3-1.7.9/getid3/extension.cache.mysql.php: =20
$filenam2 =3D mysql_escape_string($filename);
./php-getid3-1.7.9/getid3/extension.cache.mysql.php: $re=
s2=20
=3D mysql_escape_string(serialize($result));
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`filename` =3D "'.mysql_escape_string($from).'")';
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WHERE=20
(`filename` =3D "'.mysql_escape_string($filename).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' WHERE (`filename` =3D=20
"'.mysql_escape_string($row['filename']).'")';
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE `filename` LIKE "'.mysql_escape_string($row['filename']).'"'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`LastModified` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['file_modified_time']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_file` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_file']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_data` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_data']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`md5_data_source` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['md5_data_source']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`filesize` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['filesize']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`fileformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['fileformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`audio_dataformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['audio']['dataformat']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`video_dataformat` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['video']['dataformat']).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`audio_bitrate` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['audio']['bitrate'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`video_bitrate` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['video']['bitrate'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`playtime_seconds` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['playtime_seconds'])).'", ';=
=
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`tags` =3D "'.mysql_escape_string(@implode("\t",=20
@array_keys(@$ThisFileInfo['tags']))).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`artist` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['artist'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`title` =3D "'.mysql_escape_string($this_track_title).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`remix` =3D "'.mysql_escape_string($this_track_remix).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`album` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['album'])).'", ';=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`genre` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['genre'])).'", ';=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comment` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['comments']['comment'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`track` =3D "'.mysql_escape_string($this_track_track).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_all` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['comments'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_id3v2` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['id3v2'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_ape` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['ape'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_lyrics3` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['lyrics3'])).'", '=
; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`comments_id3v1` =3D=20
"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']['id3v1'])).'", ';
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`warning` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['warning'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`error` =3D "'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['error'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`encoder_options` =3D=20
"'.mysql_escape_string(trim(@$ThisFileInfo['audio']['encoder'].'=20
'.@$ThisFileInfo['audio']['encoder_options'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`vbr_method` =3D "'.mysql_escape_string(@$ThisFileInfo['mpe=
g']
['audio']['VBR_method']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '`track_volume` =3D=20
"'.mysql_escape_string(floatval(@$ThisFileInfo['replay_gain']['track']
['volume'])).'" '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D 'WHERE (`filename` =3D=20
"'.mysql_escape_string(@$ThisFileInfo['filenamepath']).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['filenamepath']).'", =
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['file_modified_time']=
).'",=20
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_file']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_data']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['md5_data_source']).'=
", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['filesize']).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['fileformat']).'", ';=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['audio']
['dataformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@$ThisFileInfo['video']
['dataformat']).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['audio']
['bitrate'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['video']
['bitrate'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D=20
'"'.mysql_escape_string(floatval(@$ThisFileInfo['playtime_seconds'])).'", '=
; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@array_keys(@$ThisFileInfo['tags']))).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['artist'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_title).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_remix).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['album'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['genre'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t", @$ThisFileInfo['comme=
nts']
['comment'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string($this_track_track).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D=20
'"'.mysql_escape_string(@serialize(@$ThisFileInfo['comments'])).'", '; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['id3v2'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['ape'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['lyrics3'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@serialize(@$ThisFileInfo['tags']
['id3v1'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['warning'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(@implode("\t",=20
@$ThisFileInfo['error'])).'", '; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(trim(@$ThisFileInfo['audio']['encode=
r'].'=20
'.@$ThisFileInfo['audio']['encoder_options'])).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(!empty($ThisFileInfo['mpeg']['audio']
['LAME']) ? 'LAME' : @$ThisFileInfo['mpeg']['audio']['VBR_method']).'", '; =
=
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D '"'.mysql_escape_string(floatval(@$ThisFileInfo['replay_gain=
']
['track']['volume'])).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' WHERE (`filename` =3D=20
"'.mysql_escape_string($row['filename']).'")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`filename` =3D "'.mysql_escape_string($row['filename']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
`filename` LIKE "'.mysql_escape_string($row['filename']).'"'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`filename` =3D "'.mysql_escape_string($row['filename']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`encoder_options` =3D=20
"'.mysql_escape_string($_REQUEST['encodedbydistribution']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`encoder_options` LIKE "'.mysql_escape_string($_REQUEST['showtagfiles']).'=
")'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`tags` LIKE "'.mysql_escape_string($_REQUEST['showtagfiles']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`md5_data` =3D "'.mysql_escape_string($row['md5_data']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`artist` =3D "'.mysql_escape_string($_REQUEST['m3uartist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' AN=
D=20
(`title` =3D "'.mysql_escape_string($_REQUEST['m3utitle']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`artist` =3D "'.mysql_escape_string($row['artist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
AND (`title` =3D "'.mysql_escape_string($row['title']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: =20
$SQLquery .=3D ' AND (`remix` =3D "'.mysql_escape_string($row['remix']).'")=
'; =20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`artist` =3D "'.mysql_escape_string($row['artist']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
AND (`title` =3D "'.mysql_escape_string($row['title']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WHERE=20
(`fileformat` =3D "'.mysql_escape_string($fileformat).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' AND=20
(`audio_dataformat` =3D "'.mysql_escape_string($audioformat).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=
=3D '=20
WHERE (`genre` LIKE=20
"'.mysql_escape_string($_REQUEST['genredistribution']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mysql.php: $SQLquery .=3D ' WH=
ERE=20
(`vbr_method` =3D "'.mysql_escape_string($_REQUEST['vbrmethod']).'")'; =
=20
./php-getid3-1.7.9/demos/demo.mp3header.php: return=20
mysql_escape_string($text); =
=20
phpwiki: Matt Brown
./phpwiki-1.3.14/lib/pear/DB/mysql.php: return=20
@mysql_escape_string($str);
pixelpost: Xavier Luthi
./pixelpost-1.7.1/includes/functions.php: if=20
(version_compare($phpver,"4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/includes/functions.php: if=20
(version_compare($phpver,"4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/includes/functions.php: =20
if(version_compare($phpver, "4.3.0")=3D=3D"-1") $banlist =3D=20
mysql_escape_string($banlist);
./pixelpost-1.7.1/admin/comments.php: $banlist =3D=20
mysql_escape_string($banlist); =
=20
./pixelpost-1.7.1/admin/comments.php: $banlist =3D=20
mysql_escape_string($banlist); =
=20
./pixelpost-1.7.1/addons/admin_ping.php: =20
if(version_compare(phpversion(),"4.3.0")=3D=3D"-1") $pinglist =3D=20
mysql_escape_string($pinglist); =20
postgresql-ocaml: Debian OCaml Maintainers
./postgresql-ocaml-1.10.3/lib/postgresql_stubs.c: return=20
Val_int(PQescapeString(String_val(v_to) + Int_val(v_pos_to),
String_val(v_from) + Int_val(v_pos_from), =
=20
Int_val(v_len))); =
=20
prokyon3: Debian QA Group
./prokyon3-0.9.6/sql++/sql_query.cc: =20
mysql_escape_string(s,const_cast(S.c_str()),S.size());
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() );
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in), size); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() ); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s,=20
const_cast(in.c_str()), in.size() );
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size()); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in), size); =20
./prokyon3-0.9.6/sql++/manip.cc: mysql_escape_string(s, const_cast(in.c_str()), in.size() ); =20
psycopg2: Fabio Tranchitella
./psycopg2-2.0.8/psycopg/adapter_qstring.c: return PQescapeString(t=
o,=20
from, len);
pvpgn: Radu Spineanu
./pvpgn-1.8.1/build-tree/pvpgn-1.8.1/src/bnetd/sql_pgsql.c: =20
PQescapeString(escape, from, len);
pygresql: Matthias Klose
./pygresql-4.0/pgmodule.c: to_length =3D (int)PQescapeString(to, from,=
=20
(size_t)from_length);
python-mysqldb: Debian Python Modules Team
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string(out, in=
,=20
size); =20
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string=
(out,=20
in, size);
./python-mysqldb-1.2.2/_mysql.c: len =3D mysql_escape_string(out+1, =
in,=20
size); =20
./python-mysqldb-1.2.2/_mysql.c: len =3D=20
mysql_escape_string(out+1, in, size);
./python-mysqldb-1.2.2/doc/MySQLdb.txt: ``mysql_escape_string()`` =
=20
``_mysql.escape_string()``
qt-x11-free: Debian Qt/KDE Maintainers
./qt-x11-free-3.3.8-b/src/sql/drivers/mysql/qsql_mysql.cpp: /*uint=
=20
escapedSize =3D*/ mysql_escape_string( buffer, ba.data(), ba.size() );
ratbox-services: Arnaud Cornet
./ratbox-services-1.2.1/build-tree/ratbox-services-1.2.1/src/rsdb_pgsql.c:=
=20
PQescapeString(buf, src, length);
redland: Dave Beckett
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_name,(const char*)name, strlen(name));
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_uri,(const char*)uri, nodelen); =20
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_value, (const char*)value, valuelen);
./redland-1.0.9/src/rdf_storage_postgresql.c: PQescapeString(=20
escaped_lang, (const char*)lang, langlen);
./redland-1.0.9/src/rdf_storage_postgresql.c: PQescapeString(=
=20
escaped_datatype, (const char*)datatype, datatypelen);
./redland-1.0.9/src/rdf_storage_postgresql.c: =20
PQescapeString(escaped_name,(const char*)name, nodelen); =
=20
root-system: Christian Holm Christensen
./root-system-5.18.00/pgsql/src/TPgSQLStatement.cxx: mxsz=3DPQescapeStri=
ng=20
(mptr,(char*)mem,sz);
rpm2html: Michal =C4=8Ciha=C5=99
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len=
);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len=
);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value,=
=20
len);
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len); =
=20
./rpm2html-1.11.0/sql.c: len =3D mysql_escape_string(end, value, len); =
=20
scuttle: Marcelo Jorge Vieira (metal)
./scuttle-0.7.4/includes/db/mysqli.php: return=20
mysql_escape_string($msg);
./scuttle-0.7.4/includes/db/mysql.php: return=20
mysql_escape_string($msg); =20
./scuttle-0.7.4/includes/db/mysql4.php: return=20
mysql_escape_string($msg);
ser: Debian VoIP Team
./ser-2.0.0/modules/mysql/val.c: _s +=3D=20
mysql_escape_string(_s, VAL_STR(_v).s, l);
sitebar: Carlos Eduardo Sotelo Pinto (krlos)
./sitebar-3.3.9/inc/database.inc.php: return=20
mysql_escape_string(str_replace('\\0','\\\\0',$str));
snort: Javier Fernandez-Sanguino Pen~a
./snort-2.8.4.1/src/win32/WIN32-Includes/mysql/mysql.h:unsigned long =20
STDCALL mysql_escape_string(char *to,const char *from,
unsigned long from_length); =
=20
spl: Gerfried Fuchs
./spl-1.0~pre5/spl_modules/mod_sql_mysql.c: int newtext_len =3D=20
mysql_escape_string(newtext+1, text, text_len);
sqlrelay: Debian QA Group
./sqlrelay-0.39.4/src/api/mysql/mysql.C:unsigned long=20
mysql_escape_string(char *to, const char *from,
unsigned long length); =
=20
./sqlrelay-0.39.4/src/api/mysql/mysql.C:unsigned long=20
mysql_escape_string(char *to, const char *from,
unsigned long length) { =
=20
./sqlrelay-0.39.4/src/api/postgresql/pqescape.C:size_t PQescapeString(char=
=20
*to, const char *from, size_t length) {
./sqlrelay-0.39.4/test/dropin/postgresql.C: =20
checkSuccess(PQescapeString(to,from,strlen(from)),7); =20
./sqlrelay-0.39.4/test/dropin/mysql.C:=20
checkSuccess(mysql_escape_string(to,from,15),21); =
=20
./sqlrelay-0.39.4/TODO: =20
(mysql_escape_string()/mysql_real_escape_string()) =
=20
stardict-tools: Jose Carlos Medeiros
./stardict-tools-3.0.1/src/tabfile2sql.cpp: mysql_escape_string(word_bu=
f,=20
word, word_len);
./stardict-tools-3.0.1/src/tabfile2sql.cpp: =20
mysql_escape_string(meaning_buf, meaning, meaning_len);
symfony: Martin Meredith
./symfony-1.0.20/lib/vendor/propel-
generator/templates/sql/load/mysql/val.tpl: print "'" .=20
mysql_escape_string($column->getValue()) . "'";
./symfony-1.0.20/lib/vendor/propel-
generator/classes/propel/engine/platform/MysqlPlatform.php: return=
=20
mysql_escape_string($text); =20
texfam: TSUCHIYA Masatoshi
./texfam-1.2.1/build-tree/teTeX-1.0/libs/libwww/HTSQL.c: =
=20
mysql_escape_string(q, cp, strlen(cp));
typo3-src: Christian Welzel
./typo3-src-4.2.6/ChangeLog: * Update for bug #1354: Use=20
mysql_escape_string() with PHP 4.1.x
ulogd: Achilleas Kotsis
./ulogd-1.24/mysql/ulogd_MYSQL.c: =20
mysql_escape_string(stmt_ins, tmpstr,
strlen(tmpstr))=
; =20
./ulogd-1.24/mysql/ulogd_MYSQL.c: =20
mysql_escape_string(stmt_ins, res->value.ptr,
strlen(res->value.ptr)); =
=20
./ulogd-1.24/debian/patches/strfix.patch:- =20
mysql_escape_string(stmt_ins, tmpstr, =20
- strlen(tmpstr)); =
=20
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
mysql_escape_string(stmt_ins, tmpstr,
+ strlen(tmpstr))=
; =20
./ulogd-1.24/debian/patches/strfix.patch:- =20
mysql_escape_string(stmt_ins, res->value.ptr,
- strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
mysql_escape_string(stmt_ins, res->value.ptr,
+ strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:- =20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/debian/patches/strfix.patch:- =20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
./ulogd-1.24/debian/patches/strfix.patch:+ =
=20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
./ulogd-1.24/pgsql/ulogd_PGSQL.c: =20
PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
./ulogd-1.24/pgsql/ulogd_PGSQL.c: =20
PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
w3c-libwww: Richard Atterer
./w3c-libwww-5.4.0/Library/src/HTSQL.c: =20
mysql_escape_string(q, cp, strlen(cp));
webcalendar: WebCalendar Debian package development
./webcalendar-1.2.0+dfsg/includes/dbi4php.php: : mysql_escape_str=
ing=20
( $string ) ) );
webissues-server: Patrick Matth=C3=A4i
./webissues-server-0.8.4/include/database-mysql.inc.php: return=
=20
"'" . mysql_escape_string( $arg ) . "'";
wzdftpd: Pierre Chifflier
./wzdftpd-0.8.3/backends/pgsql/libpgsql_main.c:/** \todo XXX FIXME use=20
PQescapeString() */
xindy: J=C3=B6rg Sommer
./xindy-2.3/rte/clisp-2.43/modules/postgresql/postgresql.lisp:(def-call-ou=
t=20
PQescapeString (:return-type uint)
zoneminder: Peter Howard
./zoneminder-1.24.1/web/includes/database.php: return(=20
mysql_escape_string( stripslashes( $string ) ) );
./zoneminder-1.24.1/web/includes/database.php: return(=20
mysql_escape_string( $string ) );
zoph: Edelhard Becker
./zoph-0.7.5/php/database.inc.php: return mysql_escape_string($str);
./zoph-0.7.5/contrib/zoph-0.3.3.postgres.diff:- return=20
mysql_escape_string($str);
./zoph-0.7.5/contrib/zoph-0.3.3.postgres.diff:+ return=20
mysql_escape_string($str);
Hi Steffen,
Steffen Joeris wrote:
> Thanks to Kees, I have prepared a list of packages (below) that are sti=
ll=20
> using the deprecated functions.
Can you post a dd-list? Your list doesn't include uploaders so it's easy =
to miss
team maintained packages.
Thanks,
Emilio
Steffen Joeris wrote:
> Thanks to Kees, I have prepared a list of packages (below) that are sti=
ll=20
> using the deprecated functions.
Can you post a dd-list? Your list doesn't include uploaders so it's easy =
to miss
team maintained packages.
Thanks,
Emilio
Hi
Dne Thu, 15 Oct 2009 13:26:14 +1100
Steffen Joeris napsal(a):
> gammu: Michal =C4=8Ciha=C5=99
> ./gammu-1.24.0/smsd/services/pgsql.c: =20
> PQescapeString(buffer4, buffer2, strlen(buffer2));
> ./gammu-1.24.0/smsd/services/pgsql.c: =20
> PQescapeString(buffer5, buffer2, strlen(buffer2));
> ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(bu=
ffer5,=20
> buffer2, strlen(buffer2)); =20
PQescapeString is used only if PQescapeStringConn is not available in
compile time, what was AFAIK the case in some older PostgreSQL versions.
--=20
Michal =C4=8Ciha=C5=99 | http://cihar.com | http://blog.cihar.com
Dne Thu, 15 Oct 2009 13:26:14 +1100
Steffen Joeris napsal(a):
> gammu: Michal =C4=8Ciha=C5=99
> ./gammu-1.24.0/smsd/services/pgsql.c: =20
> PQescapeString(buffer4, buffer2, strlen(buffer2));
> ./gammu-1.24.0/smsd/services/pgsql.c: =20
> PQescapeString(buffer5, buffer2, strlen(buffer2));
> ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(bu=
ffer5,=20
> buffer2, strlen(buffer2)); =20
PQescapeString is used only if PQescapeStringConn is not available in
compile time, what was AFAIK the case in some older PostgreSQL versions.
--=20
Michal =C4=8Ciha=C5=99 | http://cihar.com | http://blog.cihar.com
On Thu, Oct 15, 2009 at 10:27:57AM +0200, Emilio Pozuelo Monfort wrote:
> > Thanks to Kees, I have prepared a list of packages (below) that are sti=
ll=20
> > using the deprecated functions.
> Can you post a dd-list? Your list doesn't include uploaders so it's easy =
to miss
> team maintained packages.
Please find below the result of:
$ egrep '^\w+:' body.txt | grep -v NOTE | cut -f 1 -d: | dd-list --stdin =
> dd-list.txt
where body.txt is the body of Steffen's mail. I just added Myon by hand
because libyada is only in stable and on my sid machine dd-list didn't
find it.
Cheers.
Carlos Eduardo Sotelo Pinto (krlos)
sitebar
Marcelo Jorge Vieira (metal)
scuttle
Micah Anderson
dsyslog (U)
Leopold Palomo Avellaneda
bulmages (U)
Christian Bayle
cvsnt (U)
Romain Beauxis
mediawiki (U)
Edelhard Becker
zoph
Dave Beckett
redland
Luciano Bello
nepenthes
Marcus Better
ser (U)
Darren Blaber
dsyslog (U)
Matt Brown
phpwiki
Ross Burton
onak (U)
Luca Capello
clisp (U)
Nuno Carvalho
parrot (U)
Thadeu Lima de Souza Cascardo
jabberd2 (U)
Pierre Chifflier
libpreludedb (U)
ulogd (U)
wzdftpd
Debian BOINC Maintainers
boinc
Debian Common Lisp Team
clisp
Debian GNOME Maintainers
libgda3
Debian Parrot Maintainers
parrot
Debian VoIP Team
gnugk
ser
Debian XMPP Maintainers
jabberd2
WebCalendar Debian package development
webcalendar
Peter Eisentraut
pgpool2
Raphael Enrici
pgadmin3
Peter Van Eynde
clisp (U)
Gerfried Fuchs
pgadmin3 (U)
spl
David Moreno Garza
phpwiki (U)
Thomas Goirand
dtc
Stephen Gran
freeradius
Debian QA Group
mnogosearch
pgtcl
prokyon3
sqlrelay
Pascal Hakim
snort (U)
Peter Howard
zoneminder
Mark Hymers
freeradius (U)
Matthias Klose
pygresql
Achilleas Kotsis
ulogd
Kilian Krause
gnugk (U)
ser (U)
Elizabeth Krumbach
webcalendar (U)
Rafael Laboissiere
webcalendar (U)
Carlos Laviola
fpc
Penny Leach
moodle (U)
Faidon Liambotis
gnugk (U)
Xavier Luthi
b2evolution
pixelpost
Francois Marier
moodle (U)
Christoph Martin
boinc (U)
TSUCHIYA Masatoshi
texfam
Rene Mayorga
boinc (U)
Jonathan McDowell
onak
Mediawiki Maintenance Team
mediawiki
Martin Meredith
symfony
Patrick Michaud
parrot (U)
Miguel Gea Milvaques
bulmages (U)
Loic Minier
libgda3 (U)
Steffen Moeller
boinc (U)
Emilio Pozuelo Monfort
libgda3 (U)
Ren=C3=A9 M=C3=A9rou
bulmages
Mazen Neifer
fpc (U)
Javier Fernandez-Sanguino Pen~a
snort
Mathieu Petit-Clair
moodle (U)
William Pitcock
dsyslog
Dan Poltawski
moodle (U)
Mickael Profeta
libpreludedb
Mark Purcell
gnugk (U)
ser (U)
Allison Randal
parrot (U)
Tomeu Borr=C3=A0s Riera
bulmages (U)
Jorge Salamero Sanz
jabberd2 (U)
Jens Peter Secher
neko
Charlie Smotherman
ampache
J=C3=B6rg Sommer
xindy
Radu Spineanu
pvpgn
Uwe Steinmann
netmrg
Moodle Packaging Team
moodle
Fabio Tranchitella
psycopg2
Andreas Tscharner
cvsnt
Torsten Werner
fpc (U)
Michal =C4=8Ciha=C5=99
gammu
rpm2html
Christoph Berg
libyada
--=20
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Dietro un grande uomo c'=C3=A8 ..| . |. Et ne m'en veux pas si je te tuto=
ie
sempre uno zaino ...........| ..: |.... Je dis tu =C3=A0 tous ceux que j'ai=
me
> > Thanks to Kees, I have prepared a list of packages (below) that are sti=
ll=20
> > using the deprecated functions.
> Can you post a dd-list? Your list doesn't include uploaders so it's easy =
to miss
> team maintained packages.
Please find below the result of:
$ egrep '^\w+:' body.txt | grep -v NOTE | cut -f 1 -d: | dd-list --stdin =
> dd-list.txt
where body.txt is the body of Steffen's mail. I just added Myon by hand
because libyada is only in stable and on my sid machine dd-list didn't
find it.
Cheers.
Carlos Eduardo Sotelo Pinto (krlos)
sitebar
Marcelo Jorge Vieira (metal)
scuttle
Micah Anderson
dsyslog (U)
Leopold Palomo Avellaneda
bulmages (U)
Christian Bayle
cvsnt (U)
Romain Beauxis
mediawiki (U)
Edelhard Becker
zoph
Dave Beckett
redland
Luciano Bello
nepenthes
Marcus Better
ser (U)
Darren Blaber
dsyslog (U)
Matt Brown
phpwiki
Ross Burton
onak (U)
Luca Capello
clisp (U)
Nuno Carvalho
parrot (U)
Thadeu Lima de Souza Cascardo
jabberd2 (U)
Pierre Chifflier
libpreludedb (U)
ulogd (U)
wzdftpd
Debian BOINC Maintainers
boinc
Debian Common Lisp Team
clisp
Debian GNOME Maintainers
libgda3
Debian Parrot Maintainers
parrot
Debian VoIP Team
gnugk
ser
Debian XMPP Maintainers
jabberd2
WebCalendar Debian package development
webcalendar
Peter Eisentraut
pgpool2
Raphael Enrici
pgadmin3
Peter Van Eynde
clisp (U)
Gerfried Fuchs
pgadmin3 (U)
spl
David Moreno Garza
phpwiki (U)
Thomas Goirand
dtc
Stephen Gran
freeradius
Debian QA Group
mnogosearch
pgtcl
prokyon3
sqlrelay
Pascal Hakim
snort (U)
Peter Howard
zoneminder
Mark Hymers
freeradius (U)
Matthias Klose
pygresql
Achilleas Kotsis
ulogd
Kilian Krause
gnugk (U)
ser (U)
Elizabeth Krumbach
webcalendar (U)
Rafael Laboissiere
webcalendar (U)
Carlos Laviola
fpc
Penny Leach
moodle (U)
Faidon Liambotis
gnugk (U)
Xavier Luthi
b2evolution
pixelpost
Francois Marier
moodle (U)
Christoph Martin
boinc (U)
TSUCHIYA Masatoshi
texfam
Rene Mayorga
boinc (U)
Jonathan McDowell
onak
Mediawiki Maintenance Team
mediawiki
Martin Meredith
symfony
Patrick Michaud
parrot (U)
Miguel Gea Milvaques
bulmages (U)
Loic Minier
libgda3 (U)
Steffen Moeller
boinc (U)
Emilio Pozuelo Monfort
libgda3 (U)
Ren=C3=A9 M=C3=A9rou
bulmages
Mazen Neifer
fpc (U)
Javier Fernandez-Sanguino Pen~a
snort
Mathieu Petit-Clair
moodle (U)
William Pitcock
dsyslog
Dan Poltawski
moodle (U)
Mickael Profeta
libpreludedb
Mark Purcell
gnugk (U)
ser (U)
Allison Randal
parrot (U)
Tomeu Borr=C3=A0s Riera
bulmages (U)
Jorge Salamero Sanz
jabberd2 (U)
Jens Peter Secher
neko
Charlie Smotherman
ampache
J=C3=B6rg Sommer
xindy
Radu Spineanu
pvpgn
Uwe Steinmann
netmrg
Moodle Packaging Team
moodle
Fabio Tranchitella
psycopg2
Andreas Tscharner
cvsnt
Torsten Werner
fpc (U)
Michal =C4=8Ciha=C5=99
gammu
rpm2html
Christoph Berg
libyada
--=20
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Dietro un grande uomo c'=C3=A8 ..| . |. Et ne m'en veux pas si je te tuto=
ie
sempre uno zaino ...........| ..: |.... Je dis tu =C3=A0 tous ceux que j'ai=
me
Hi Steffen,
In future checks it would be easier and more accurate to look for the
deprecated functions on the binary packages, because not all of the
packages ship/use all of the files they include in the source package.
FTR, in php 5.3 the mysql_escape_string function is marked as deprecated
(and depending on the error reporting level it will warn) and in php6 it is
gone. And applications using pgsql don't need any change as the pgsql
extension uses PQescapeStringConn if available at compile time and if
there's an active connection.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
In future checks it would be easier and more accurate to look for the
deprecated functions on the binary packages, because not all of the
packages ship/use all of the files they include in the source package.
FTR, in php 5.3 the mysql_escape_string function is marked as deprecated
(and depending on the error reporting level it will warn) and in php6 it is
gone. And applications using pgsql don't need any change as the pgsql
extension uses PQescapeStringConn if available at compile time and if
there's an active connection.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Raphael Geissert writes:
> FTR, in php 5.3 the mysql_escape_string function is marked as
> deprecated (and depending on the error reporting level it will warn)
> and in php6 it is gone.
Reference, please? I'd like to know what function is recommended to
replace this one.
--
\ “Never use a long word when there's a commensurate diminutive |
`\ available.” —Stan Kelly-Bootle |
_o__) |
Ben Finney
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> FTR, in php 5.3 the mysql_escape_string function is marked as
> deprecated (and depending on the error reporting level it will warn)
> and in php6 it is gone.
Reference, please? I'd like to know what function is recommended to
replace this one.
--
\ “Never use a long word when there's a commensurate diminutive |
`\ available.” —Stan Kelly-Bootle |
_o__) |
Ben Finney
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
2009-10-16, Ben Finney:
> Raphael Geissert writes:
>
> > FTR, in php 5.3 the mysql_escape_string function is marked as
> > deprecated (and depending on the error reporting level it will warn)
> > and in php6 it is gone.
>
> Reference, please? I'd like to know what function is recommended to
> replace this one.
>
According to php.net [0], they recommend to use 'mysql_real_escape_string'
instead [1]. Note that mysql_real_escape_string behaves a little bit different
from mysql_escape_string, though.
[0] http://ar2.php.net/mysql_escape_string
[1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php
Saludos,
Mauro
--
JID: lavaramano@jabber.org | http://lizaur.github.com/
2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Mauro Lizaur writes:
> According to php.net [0], they recommend to use
> 'mysql_real_escape_string' instead [1]. Note that
> mysql_real_escape_string behaves a little bit different from
> mysql_escape_string, though.
>
> [0] http://ar2.php.net/mysql_escape_string
> [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php
Thank you for the prompt answer.
--
\ “We spend the first twelve months of our children's lives |
`\ teaching them to walk and talk and the next twelve years |
_o__) telling them to sit down and shut up.” —Phyllis Diller |
Ben Finney
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> According to php.net [0], they recommend to use
> 'mysql_real_escape_string' instead [1]. Note that
> mysql_real_escape_string behaves a little bit different from
> mysql_escape_string, though.
>
> [0] http://ar2.php.net/mysql_escape_string
> [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php
Thank you for the prompt answer.
--
\ “We spend the first twelve months of our children's lives |
`\ teaching them to walk and talk and the next twelve years |
_o__) telling them to sit down and shut up.” —Phyllis Diller |
Ben Finney
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote:
> Hi everyone
>=20
> We had a few issues in the past with insufficient database escaping, whic=
h lead=20
> to possible SQL injections due to the use of the deprecated functions=20
> mysql_escape_string() and PQescapeString().
> These functions do not take the encoding of the established connection in=
to=20
> account, which can lead to insufficient escaping, if the encoding of this=
=20
> connection can be set to certain multibyte character encodings (such as G=
BK).
> I found the explanation given in this email[0] quite useful to elaborate =
on=20
> the thread.
>=20
> In order to prevent this issue, the new functions mysql_real_escape_strin=
g()
> [1] and PQescapeStringConn()[2] have been added, which honour the specifi=
c=20
> encoding of the connection.
>=20
[snip]
>=20
> ampache: Charlie Smotherman =
=20
> ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $fi=
lenam2=20
> =3D mysql_escape_string($filename); =20
> ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $re=
s2 =3D=20
> mysql_escape_string(serialize($result)); =20
>=20
Steffen,
Thanks for the mail. I have patched ampache to use
mysql_real_escape_string(). I would appreciate it if someone would
sponsor this fix.
http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc=20
Thank you=20
Charlie Smotherman
> Hi everyone
>=20
> We had a few issues in the past with insufficient database escaping, whic=
h lead=20
> to possible SQL injections due to the use of the deprecated functions=20
> mysql_escape_string() and PQescapeString().
> These functions do not take the encoding of the established connection in=
to=20
> account, which can lead to insufficient escaping, if the encoding of this=
=20
> connection can be set to certain multibyte character encodings (such as G=
BK).
> I found the explanation given in this email[0] quite useful to elaborate =
on=20
> the thread.
>=20
> In order to prevent this issue, the new functions mysql_real_escape_strin=
g()
> [1] and PQescapeStringConn()[2] have been added, which honour the specifi=
c=20
> encoding of the connection.
>=20
[snip]
>=20
> ampache: Charlie Smotherman =
=20
> ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $fi=
lenam2=20
> =3D mysql_escape_string($filename); =20
> ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $re=
s2 =3D=20
> mysql_escape_string(serialize($result)); =20
>=20
Steffen,
Thanks for the mail. I have patched ampache to use
mysql_real_escape_string(). I would appreciate it if someone would
sponsor this fix.
http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc=20
Thank you=20
Charlie Smotherman
Related Threads
- ANN: Sequel 3.14.0 Released - ruby
- Generic ManyToMany lockup - django
- Gimp-user - Script which convert XCF to BMP 24 bits - gimp
- SSL/TLS with server names picked from DNS - openssl
- new IPs for our name servers problems - bind
- $http_host and $host not behaving as described - nginx
- testing for arithmetic carry - gcc
- Xcb - Bug 29599 - New: hang in xcb_request_check() due to expecting a reply on void request - xorg
- Bind as cache DNS and firewall - bind
- Status Column Not Displaying New - thunderbird
- valentino giuranno - gcc
- How to guess Xorg available version ? - netbsd