diff options
-rw-r--r-- | Bugzilla/DB.pm | 15 | ||||
-rw-r--r-- | Bugzilla/DB/Pg.pm | 2 | ||||
-rwxr-xr-x | attachment.cgi | 14 |
3 files changed, 28 insertions, 3 deletions
diff --git a/Bugzilla/DB.pm b/Bugzilla/DB.pm index 07e23f0e7..5256a5434 100644 --- a/Bugzilla/DB.pm +++ b/Bugzilla/DB.pm @@ -51,6 +51,16 @@ use Bugzilla::Error; use Bugzilla::DB::Schema; use Bugzilla::User; +##################################################################### +# Constants +##################################################################### + +use constant BLOB_TYPE => DBI::SQL_BLOB; + +##################################################################### +# Deprecated Functions +##################################################################### + # All this code is backwards compat fu. As such, its a bit ugly. Note the # circular dependencies on Bugzilla.pm # This is old cruft which will be removed, so theres not much use in @@ -787,6 +797,11 @@ constants are required to be subroutines or "use constant" variables. =over 4 +=item C<BLOB_TYPE> + +The C<\%attr> argument that must be passed to bind_param in order to +correctly escape a C<LONGBLOB> type. + =item C<REQUIRED_VERSION> This is the minimum required version of the database server that the diff --git a/Bugzilla/DB/Pg.pm b/Bugzilla/DB/Pg.pm index be921f4d1..e635096f2 100644 --- a/Bugzilla/DB/Pg.pm +++ b/Bugzilla/DB/Pg.pm @@ -42,10 +42,12 @@ package Bugzilla::DB::Pg; use strict; use Bugzilla::Error; +use DBD::Pg; # This module extends the DB interface via inheritance use base qw(Bugzilla::DB); +use constant BLOB_TYPE => { pg_type => DBD::Pg::PG_BYTEA }; use constant REQUIRED_VERSION => '7.03.0000'; use constant PROGRAM_NAME => 'PostgreSQL'; use constant MODULE_NAME => 'Pg'; diff --git a/attachment.cgi b/attachment.cgi index bffba5bc4..054c8e62a 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -913,7 +913,6 @@ sub insert $filename = SqlQuote($filename); my $description = SqlQuote($::FORM{'description'}); my $contenttype = SqlQuote($::FORM{'contenttype'}); - my $thedata = SqlQuote($data); my $isprivate = $::FORM{'isprivate'} ? 1 : 0; # Figure out when the changes were made. @@ -921,8 +920,17 @@ sub insert my $sql_timestamp = SqlQuote($timestamp); # Insert the attachment into the database. - SendSQL("INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id, thedata) - VALUES ($::FORM{'bugid'}, $sql_timestamp, $filename, $description, $contenttype, $::FORM{'ispatch'}, $isprivate, $::userid, $thedata)"); + my $sth = $dbh->prepare("INSERT INTO attachments + (thedata, bug_id, creation_ts, filename, description, + mimetype, ispatch, isprivate, submitter_id) + VALUES (?, $::FORM{'bugid'}, $sql_timestamp, $filename, + $description, $contenttype, $::FORM{'ispatch'}, + $isprivate, $::userid)"); + # We only use $data here in this INSERT with a placeholder, + # so it's safe. + trick_taint($data); + $sth->bind_param(1, $data, $dbh->BLOB_TYPE); + $sth->execute(); # Retrieve the ID of the newly created attachment record. my $attachid = $dbh->bz_last_key('attachments', 'attach_id'); |