From 73d5c451f2dae07835a951c535ff7f3db183ed11 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Fri, 18 Apr 2008 09:58:31 +0000
Subject: [PATCH] Changed db_escape function to avoid XSS atacksvia db
 javascript injection

---
 includes/db/connect_db.inc | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/includes/db/connect_db.inc b/includes/db/connect_db.inc
index 0b6e4eb9..75469fb9 100644
--- a/includes/db/connect_db.inc
+++ b/includes/db/connect_db.inc
@@ -33,8 +33,8 @@ function db_query($sql, $err_msg=null)
 	$result = mysql_query($sql, $db);
 	if ($err_msg != null)
 	  if (function_exists('xdebug_call_file'))
-		check_db_error('<br>At file '.xdebug_call_file().':'.xdebug_call_line().':<br>'.$err_msg, $sql);	  
-	  else 
+		check_db_error('<br>At file '.xdebug_call_file().':'.xdebug_call_line().':<br>'.$err_msg, $sql);
+	  else
 		check_db_error($err_msg, $sql);
 
 	return $result;
@@ -78,6 +78,36 @@ function db_escape ($result)
 	return mysql_escape_string($result);
 }
 
+function db_quote($value = "", $nullify = false)
+{
+	$value = htmlspecialchars($value, ENT_COMPAT, $_SESSION['language']->encoding);
+
+  	//reset default if second parameter is skipped
+	$nullify = ($nullify === null) ? (false) : ($nullify);
+  	//undo slashes for poorly configured servers
+	$value = (get_magic_quotes_gpc()) ? (stripslashes($value)) : ($value);
+
+  	//check for null/unset/empty strings
+	if ((!isset($value)) || (is_null($value)) || ($value === "")) {
+		$value = ($nullify) ? ("NULL") : ("''");
+	} else {
+		if (is_string($value)) {
+      		//value is a string and should be quoted; determine best method based on available extensions
+			if (function_exists('mysql_real_escape_string')) {
+		  		$value = "'" . mysql_real_escape_string($value) . "'";
+			} else {
+			  $value = "'" . mysql_escape_string($value) . "'";
+			}
+		} else if (!is_numeric($value)) {
+			//value is not a string nor numeric
+			display_error("ERROR: incorrect data type send to sql query");
+			echo '<br><br>';
+			exit();
+		}
+	}
+	return $value;
+}
+
 function db_error_no ()
 {
 	global $db;
-- 
2.30.2