X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;ds=inline;f=includes%2Fdb%2Fconnect_db_mysqli.inc;h=ee7ad583b8108f5411311e6af28134f8577b6275;hb=7618d9d62ee39a932f56565a4ce25d965bf53462;hp=48b57402df0d1e68696f2273112d69f358cac9f9;hpb=7f32bbd73c782449684cf6c6bf987e5bfbae9eb7;p=fa-stable.git

diff --git a/includes/db/connect_db_mysqli.inc b/includes/db/connect_db_mysqli.inc
index 48b57402..ee7ad583 100644
--- a/includes/db/connect_db_mysqli.inc
+++ b/includes/db/connect_db_mysqli.inc
@@ -10,7 +10,7 @@
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 define('DB_DUPLICATE_ERROR', 1062);
-define('SQL_MODE', ''); // STRICT_ALL_TABLES,NO_ZERO_IN_DATE ?
+define('SQL_MODE', 'STRICT_ALL_TABLES'); // prevents SQL injection with silent field content truncation
 
 $db_last_inserted_id = 0;
 
@@ -72,17 +72,10 @@ function db_query($sql, $err_msg=null)
 			$retry = 0;
 	} while ($retry);
 
-	db_profile($sql);
+	if($SysPrefs->db_trail == 1)
+		$db_last_inserted_id = mysqli_insert_id($db);	// cache to avoid trail overwrite
 
-	if($SysPrefs->sql_trail) {
-		$db_last_inserted_id = mysqli_insert_id($db);	// preserve in case trail insert is done
-		if ($SysPrefs->select_trail || (strstr($sql, 'SELECT') === false)) {
-			mysqli_query($db, "INSERT INTO ".$cur_prefix."sql_trail
-				(`sql`, `result`, `msg`)
-				VALUES(".db_escape($sql).",".($result ? 1 : 0).",
-				".db_escape($err_msg).")");
-		}
-	}
+	db_profile($sql);
 
 	if ($err_msg != null || $SysPrefs->go_debug) {
 		$exit = $err_msg != null;
@@ -135,8 +128,8 @@ function db_num_fields($result)
 function db_escape($value = "", $nullify = false)
 {
 	global $db;
-	
-	$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
+
+	$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);
 	$value = html_specials_encode($value);
 
   	//reset default if second parameter is skipped
@@ -174,7 +167,7 @@ function db_insert_id()
 {
 	global $db_last_inserted_id, $SysPrefs, $db;
 
-	return $SysPrefs->sql_trail ? $db_last_inserted_id : mysqli_insert_id($db);
+	return $SysPrefs->db_trail == 1 ? $db_last_inserted_id : mysqli_insert_id($db);
 }
 
 function db_num_affected_rows()