Activated strict SQL mode, minor SQL injection fix, fixed _vl() debug helper.

[fa-stable.git] / includes / db / connect_db_mysqli.inc

diff --git a/includes/db/connect_db_mysqli.inc b/includes/db/connect_db_mysqli.inc
index 48b57402df0d1e68696f2273112d69f358cac9f9..696fd8285a1646bc49aa406a41ff8ae4e7a32923 100644 (file)
--- a/includes/db/connect_db_mysqli.inc
+++ b/includes/db/connect_db_mysqli.inc
@@ -10,7 +10,7 @@
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 define('DB_DUPLICATE_ERROR', 1062);
-define('SQL_MODE', ''); // STRICT_ALL_TABLES,NO_ZERO_IN_DATE ?
+define('SQL_MODE', 'STRICT_ALL_TABLES'); // prevents SQL injection with silent field content truncation
 
 $db_last_inserted_id = 0;
 
@@ -135,8 +135,8 @@ function db_num_fields($result)
 function db_escape($value = "", $nullify = false)
 {
        global $db;
-       
-       $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
+
+       $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);
        $value = html_specials_encode($value);
 
        //reset default if second parameter is skipped