aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/includes/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'phpBB/includes/auth.php')
-rw-r--r--phpBB/includes/auth.php105
1 files changed, 76 insertions, 29 deletions
diff --git a/phpBB/includes/auth.php b/phpBB/includes/auth.php
index 4e6a8af1d8..c578881c3f 100644
--- a/phpBB/includes/auth.php
+++ b/phpBB/includes/auth.php
@@ -478,18 +478,11 @@ class auth
$sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : $db->sql_in_set('user_id', $user_id)) : '';
$sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : '';
- $sql_opts = '';
+ $sql_opts = $sql_escape = '';
if ($opts !== false)
{
- if (!is_array($opts))
- {
- $sql_opts = (strpos($opts, '%') !== false) ? "AND ao.auth_option LIKE '" . $db->sql_escape($opts) . "'" : "AND ao.auth_option = '" . $db->sql_escape($opts) . "'";
- }
- else
- {
- $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts);
- }
+ $this->build_auth_option_statement('ao.auth_option', $opts, $sql_opts, $sql_escape);
}
$hold_ary = array();
@@ -519,7 +512,7 @@ class auth
'ORDER_BY' => 'a.forum_id, ao.auth_option'
));
- $result = $db->sql_query($sql);
+ $result = $db->sql_query($sql . $sql_escape);
while ($row = $db->sql_fetchrow($result))
{
@@ -595,18 +588,11 @@ class auth
$sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : $db->sql_in_set('user_id', $user_id)) : '';
$sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : '';
- $sql_opts = '';
+ $sql_opts = $sql_escape = '';
if ($opts !== false)
{
- if (!is_array($opts))
- {
- $sql_opts = (strpos($opts, '%') !== false) ? "AND ao.auth_option LIKE '" . $db->sql_escape($opts) . "'" : "AND ao.auth_option = '" . $db->sql_escape($opts) . "'";
- }
- else
- {
- $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts);
- }
+ $this->build_auth_option_statement('ao.auth_option', $opts, $sql_opts, $sql_escape);
}
$hold_ary = array();
@@ -634,7 +620,7 @@ class auth
'ORDER_BY' => 'a.forum_id, ao.auth_option'
));
- $result = $db->sql_query($sql);
+ $result = $db->sql_query($sql . $sql_escape);
while ($row = $db->sql_fetchrow($result))
{
@@ -656,16 +642,11 @@ class auth
$sql_group = ($group_id !== false) ? ((!is_array($group_id)) ? "group_id = $group_id" : $db->sql_in_set('group_id', $group_id)) : '';
$sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : '';
+ $sql_opts = $sql_escape = '';
+
if ($opts !== false)
{
- if (!is_array($opts))
- {
- $sql_opts = (strpos($opts, '%') !== false) ? "AND ao.auth_option LIKE '" . $db->sql_escape($opts) . "'" : "AND ao.auth_option = '" . $db->sql_escape($opts) . "'";
- }
- else
- {
- $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts);
- }
+ $this->build_auth_option_statement('ao.auth_option', $opts, $sql_opts, $sql_escape);
}
$hold_ary = array();
@@ -693,7 +674,7 @@ class auth
'ORDER_BY' => 'a.forum_id, ao.auth_option'
));
- $result = $db->sql_query($sql);
+ $result = $db->sql_query($sql . $sql_escape);
while ($row = $db->sql_fetchrow($result))
{
@@ -781,6 +762,72 @@ class auth
trigger_error('Authentication method not found', E_USER_ERROR);
}
+
+ /**
+ * Fill auth_option statement for later querying based on the supplied options
+ */
+ function build_auth_option_statement($key, $auth_options, &$sql_opts, &$sql_escape)
+ {
+ global $db;
+
+ if (!is_array($auth_options))
+ {
+ if (strpos($auth_options, '%') !== false)
+ {
+ if (strpos($auth_options, '_') !== false)
+ {
+ $sql_opts = "AND $key LIKE '" . $db->sql_escape(str_replace('_', "\_", $auth_options)) . "'";
+ $sql_escape = (SQL_LAYER == 'mssql' || SQL_LAYER == 'mssql_odbc') ? " ESCAPE '\\'" : '';
+ }
+ else
+ {
+ $sql_opts = "AND $key LIKE '" . $db->sql_escape($auth_options) . "'";
+ }
+ }
+ else
+ {
+ $sql_opts = "AND $key = '" . $db->sql_escape($auth_options) . "'";
+ }
+ }
+ else
+ {
+ $is_like_expression = $is_underline = false;
+
+ foreach ($auth_options as $option)
+ {
+ if (strpos($option, '%') !== false)
+ {
+ $is_like_expression = true;
+ }
+
+ if (strpos($option, '_') !== false)
+ {
+ $is_underline = true;
+ }
+ }
+
+ if (!$is_like_expression)
+ {
+ $sql_opts = 'AND ' . $db->sql_in_set($key, $auth_options);
+ }
+ else
+ {
+ $sql = array();
+
+ foreach ($auth_options as $option)
+ {
+ $sql[] = $key . " LIKE '" . $db->sql_escape(str_replace('_', "\_", $option)) . "'";
+ }
+
+ $sql_opts = 'AND (' . implode(' OR ', $sql) . ')';
+
+ if ($is_underline)
+ {
+ $sql_escape = (SQL_LAYER == 'mssql' || SQL_LAYER == 'mssql_odbc') ? " ESCAPE '\\'" : '';
+ }
+ }
+ }
+ }
}
?> \ No newline at end of file
generated by cgit v1.2.1 (git 2.21.0) at 2025-08-01 10:40:39 +0000