Suggestion of 2 new functions for SQL-safe CSV-values-handling for IN…

… (....) usages Instead of using: `" AND columnname IN " . implode( $array )` and have escaping outside the query (and hard to security-review), I suggest: `" AND columname IN (" . $db->safeArrayOfIntegersToCSV($array) . ")"` Which makes security-reviews much easier (and automatable). This function and its generalized use would have avoided vulnerability in joomla#42 joomla/cms-security#42 (comment)
beat · Dec 16, 2015 · 8a8f987 · 8a8f987
1 parent 952f2a6
commit 8a8f987
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/libraries/joomla/database/driver.php b/libraries/joomla/database/driver.php
@@ -1850,6 +1850,48 @@ public function quoteName($name, $as = null)
 		}
 	}
 
+	/**
+	 * Sanitizes an array of (int) to a safe CSV-formatted string
+	 *
+	 * @param   array   $array  Array to sanitize out
+	 *
+	 * @return  string          string with safe integers, e.g. '1, 2, 3'
+	 *
+	 * @since   3.4.7
+	 */
+	public function safeArrayOfIntegersToCSV($array)
+	{
+		return implode(', ', array_map(
+			function ($v)
+			{
+				return (int) $v;
+			},
+			$array
+			)
+		);
+	}
+
+	/**
+	 * Sanitizes an array of (string) to a safe CSV-formatted string of escaped and quoted values
+	 *
+	 * @param   string[]  $array  Array to sanitize out
+	 *
+	 * @return  string            string with safe database-quoted strings e.g. "'A', 'B', 'C'""
+	 *
+	 * @since   3.4.7
+	 */
+	public function safeArrayOfStringsToCSV($array)
+	{
+		return implode(', ', array_map(
+			function ($v)
+			{
+				return $this->quote($v);
+			},
+			$array
+			)
+		);
+	}
+
 	/**
 	 * Quote strings coming from quoteName call.
 	 *