Project

General

Profile

Bug #17940 » martix7015.patch

Administrator Admin, 2008-08-29 14:15

View differences:

t3lib/class.t3lib_db.php (working copy)
// Table and fieldnames should be "SQL-injection-safe" when supplied to this function (contrary to values in the arrays which may be insecure).
if (is_string($where)) {
if (is_array($fields_values) && count($fields_values)) {
$fields = array();
if (is_array($fields_values)) {
// quote and escape values
$nArr = $this->fullQuoteArray($fields_values,$table,$no_quote_fields);
$fields = array();
foreach ($nArr as $k => $v) {
$fields[] = $k.'='.$v;
}
// Build query:
$query = 'UPDATE '.$table.'
SET
'.implode(',
',$fields).
(strlen($where)>0 ? '
WHERE
'.$where : '');
// Return query:
if ($this->debugOutput || $this->store_lastBuiltQuery) $this->debug_lastBuiltQuery = $query;
return $query;
}
// Build query:
$query = 'UPDATE '.$table.'
SET
'.implode(',
',$fields).
(strlen($where)>0 ? '
WHERE
'.$where : '');
if ($this->debugOutput || $this->store_lastBuiltQuery) $this->debug_lastBuiltQuery = $query;
// For backwards compatibility we return false if no fields were given
if (!count($fields)) $query = false;
// Return query:
return $query;
} else {
die('<strong>TYPO3 Fatal Error:</strong> "Where" clause argument for UPDATE query was not a string in $this->UPDATEquery() !');
}
(2-2/4)