moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-29894 forbid objects in DML parameters

Browse source 
Objects with __toString we never fully supported as parameters in DML layer, this finally brings consistent behaviour.
This commit is contained in:
Petr Skoda 2012-03-17 18:42:30 +01:00
parent a2b30aa852
commit e618cdf3f6
8 changed files with 156 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/dml/moodle_database.php
View file

@ -690,6 +690,17 @@ abstract class moodle_database {
return "\$".$this->fix_sql_params_i;
}
/**
* Detects object parameters and throws exception if found
* @param mixed $value
* @return void
*/
protected function detect_objects($value) {
if (is_object($value)) {
throw new coding_exception('Invalid database query parameter value', 'Objects are are not allowed: '.get_class($value));
}
}
/**
* Normalizes sql query parameters and verifies parameters.
* @param string $sql The query or part of it.
@ -703,8 +714,9 @@ abstract class moodle_database {
// convert table names
$sql = $this->fix_table_names($sql);
// cast booleans to 1/0 int
// cast booleans to 1/0 int and detect forbidden objects
foreach ($params as $key => $value) {
$this->detect_objects($value);
$params[$key] = is_bool($value) ? (int)$value : $value;
}