aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/DB.pm15
-rw-r--r--Bugzilla/DB/Pg.pm2
-rwxr-xr-xattachment.cgi14
3 files changed, 28 insertions, 3 deletions
diff --git a/Bugzilla/DB.pm b/Bugzilla/DB.pm
index 07e23f0e7..5256a5434 100644
--- a/Bugzilla/DB.pm
+++ b/Bugzilla/DB.pm
@@ -51,6 +51,16 @@ use Bugzilla::Error;
use Bugzilla::DB::Schema;
use Bugzilla::User;
+#####################################################################
+# Constants
+#####################################################################
+
+use constant BLOB_TYPE => DBI::SQL_BLOB;
+
+#####################################################################
+# Deprecated Functions
+#####################################################################
+
# All this code is backwards compat fu. As such, its a bit ugly. Note the
# circular dependencies on Bugzilla.pm
# This is old cruft which will be removed, so theres not much use in
@@ -787,6 +797,11 @@ constants are required to be subroutines or "use constant" variables.
=over 4
+=item C<BLOB_TYPE>
+
+The C<\%attr> argument that must be passed to bind_param in order to
+correctly escape a C<LONGBLOB> type.
+
=item C<REQUIRED_VERSION>
This is the minimum required version of the database server that the
diff --git a/Bugzilla/DB/Pg.pm b/Bugzilla/DB/Pg.pm
index be921f4d1..e635096f2 100644
--- a/Bugzilla/DB/Pg.pm
+++ b/Bugzilla/DB/Pg.pm
@@ -42,10 +42,12 @@ package Bugzilla::DB::Pg;
use strict;
use Bugzilla::Error;
+use DBD::Pg;
# This module extends the DB interface via inheritance
use base qw(Bugzilla::DB);
+use constant BLOB_TYPE => { pg_type => DBD::Pg::PG_BYTEA };
use constant REQUIRED_VERSION => '7.03.0000';
use constant PROGRAM_NAME => 'PostgreSQL';
use constant MODULE_NAME => 'Pg';
diff --git a/attachment.cgi b/attachment.cgi
index bffba5bc4..054c8e62a 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -913,7 +913,6 @@ sub insert
$filename = SqlQuote($filename);
my $description = SqlQuote($::FORM{'description'});
my $contenttype = SqlQuote($::FORM{'contenttype'});
- my $thedata = SqlQuote($data);
my $isprivate = $::FORM{'isprivate'} ? 1 : 0;
# Figure out when the changes were made.
@@ -921,8 +920,17 @@ sub insert
my $sql_timestamp = SqlQuote($timestamp);
# Insert the attachment into the database.
- SendSQL("INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id, thedata)
- VALUES ($::FORM{'bugid'}, $sql_timestamp, $filename, $description, $contenttype, $::FORM{'ispatch'}, $isprivate, $::userid, $thedata)");
+ my $sth = $dbh->prepare("INSERT INTO attachments
+ (thedata, bug_id, creation_ts, filename, description,
+ mimetype, ispatch, isprivate, submitter_id)
+ VALUES (?, $::FORM{'bugid'}, $sql_timestamp, $filename,
+ $description, $contenttype, $::FORM{'ispatch'},
+ $isprivate, $::userid)");
+ # We only use $data here in this INSERT with a placeholder,
+ # so it's safe.
+ trick_taint($data);
+ $sth->bind_param(1, $data, $dbh->BLOB_TYPE);
+ $sth->execute();
# Retrieve the ID of the newly created attachment record.
my $attachid = $dbh->bz_last_key('attachments', 'attach_id');