Changeset 550 for trunk/lib/Version.inc.php
- Timestamp:
- Nov 24, 2015 5:38:54 PM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/Version.inc.php
r532 r550 56 56 // If true, makes an exact comparison of saved vs. live table schemas. If false, just checks that the saved columns are available. 57 57 'db_schema_strict' => true, 58 59 // Serialization method. 60 // Legacy installations will have been using 'phpserialize' but these should migrate to use 'json' to avoid PHP object injection https://www.owasp.org/index.php/PHP_Object_Injection 61 'serialization_method' => 'phpserialize', // Or 'json' 58 62 ); 59 63 … … 161 165 public function setParam($params=null) 162 166 { 167 $app =& App::getInstance(); 168 169 if (isset($params['serialization_method']) && !in_array($params['serialization_method'], ['phpserialize', 'json'])) { 170 trigger_error(sprintf('Invalid serialization_method: %s', $params['serialization_method']), E_USER_ERROR); 171 } 163 172 if (isset($params) && is_array($params)) { 164 173 // Merge new parameters with old overriding only those passed. … … 220 229 // Clean-up old versions. 221 230 $this->deleteOld($record_table, $record_key, $record_val); 231 232 // Serialize the DB record. 233 switch ($this->getParam('serialization_method')) { 234 case 'phpserialize': 235 $data = gzcompress(serialize($record), 9); 236 break; 237 238 case 'json': 239 $data = gzcompress(json_encode($record), 9); 240 break; 241 } 222 242 223 243 // Save as new version. … … 238 258 '" . $db->escapeString($record_key) . "', 239 259 '" . $db->escapeString($record_val) . "', 240 '" . $db->escapeString( gzcompress(serialize($record), 9)) . "',260 '" . $db->escapeString($data) . "', 241 261 '" . $db->escapeString($title) . "', 242 262 '" . $db->escapeString($last_version_number + 1) . "', … … 266 286 // Get version data. 267 287 $qid = $db->query(" 268 SELECT * FROM " . $db->escapeString($this->getParam('db_table')) . " 288 SELECT * 289 FROM " . $db->escapeString($this->getParam('db_table')) . " 269 290 WHERE version_id = '" . $db->escapeString($version_id) . "' 270 291 "); … … 274 295 return false; 275 296 } 276 $data = unserialize(gzuncompress($record['version_data'])); 297 298 // Unserialize the DB record. 299 switch ($this->getParam('serialization_method')) { 300 case 'phpserialize': 301 $data = unserialize(gzuncompress($record['version_data'])); 302 break; 303 304 case 'json': 305 $data = json_decode(gzuncompress($record['version_data']), true); 306 break; 307 } 277 308 278 309 // Ensure saved db columns match current table schema. … … 342 373 // First query for oldest records, selecting enough to bring total number down to min_qty. 343 374 $qid = $db->query(" 344 SELECT version_id FROM " . $db->escapeString($this->getParam('db_table')) . " 375 SELECT version_id 376 FROM " . $db->escapeString($this->getParam('db_table')) . " 345 377 WHERE record_table = '" . $db->escapeString($record_table) . "' 346 378 AND record_key = '" . $db->escapeString($record_key) . "' 347 379 AND record_val = '" . $db->escapeString($record_val) . "' 348 380 ORDER BY version_datetime ASC 349 LIMIT " . ($v_count - $this->getParam('min_qty')) . "381 LIMIT " . $db->escapeString($v_count - $this->getParam('min_qty')) . " 350 382 "); 383 $old_versions = array(); 351 384 while (list($old_id) = mysql_fetch_row($qid)) { 352 385 $old_versions[] = $old_id; … … 359 392 // Delete versions older than min_days, while still keeping min_qty. 360 393 $qid = $db->query(" 361 SELECT version_id FROM " . $db->escapeString($this->getParam('db_table')) . " 394 SELECT version_id 395 FROM " . $db->escapeString($this->getParam('db_table')) . " 362 396 WHERE record_table = '" . $db->escapeString($record_table) . "' 363 397 AND record_key = '" . $db->escapeString($record_key) . "' … … 367 401 LIMIT " . ($v_count - $this->getParam('min_qty')) . " 368 402 "); 403 $old_versions = array(); 369 404 while (list($old_id) = mysql_fetch_row($qid)) { 370 405 $old_versions[] = $old_id; … … 455 490 // Get version data. 456 491 $qid = $db->query(" 457 SELECT * FROM " . $db->escapeString($this->getParam('db_table')) . " 492 SELECT * 493 FROM " . $db->escapeString($this->getParam('db_table')) . " 458 494 WHERE version_id = '" . $db->escapeString($version_id) . "' 459 495 "); 460 496 $record = mysql_fetch_assoc($qid); 461 497 if (isset($record['version_data'])) { 462 return unserialize(gzuncompress($record['version_data'])); 498 // Unserialize the DB record. 499 switch ($this->getParam('serialization_method')) { 500 case 'phpserialize': 501 return unserialize(gzuncompress($record['version_data'])); 502 503 case 'json': 504 return json_decode(gzuncompress($record['version_data'])); 505 } 463 506 } else { 464 507 return false;
Note: See TracChangeset
for help on using the changeset viewer.