From 569aaa65f5523069adb748715e36c9e3cba3992d Mon Sep 17 00:00:00 2001
From: Nathan Gass
Date: Tue, 28 Feb 2023 18:57:33 +0100
Subject: adapt escaping of ints and floats to better handle booleans and
 strings as input

---
 it_dbi.class | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

(limited to 'it_dbi.class')

diff --git a/it_dbi.class b/it_dbi.class
index c9cef54..2923bf3 100644
--- a/it_dbi.class
+++ b/it_dbi.class
@@ -914,6 +914,26 @@ function escape_string($str)
 	return $this->_escape_string($str);
 }
 
+/**
+ * Escapes an int for use in a DB query
+ * @param The int to be quoted
+ * @return The quoted value
+ */
+static function escape_int($val)
+{
+	return "'" . intval($val) . "'";
+}
+
+/**
+ * Escapes a float for use in a DB query
+ * @param The float to be quoted
+ * @return The quoted value
+ */
+static function escape_float($val)
+{
+	return "'" .  floatval($val) . "'";
+}
+
 /**
  * Escapes a name/identifier for use in a DB query
  * @param The identifier to be quoted
@@ -941,7 +961,6 @@ static function escape_bool($bool)
  */
 function _get_field_info()
 {
-	$result = array();
 	$dbid = "{$this->_p['user']}@{$this->_p['server']}:{$this->_p['db']}";
 	$state = static::_state_get($dbid);
 
@@ -956,8 +975,16 @@ function _get_field_info()
 				$this->_convertfunc[$name] = $field['_convertfunc'];
 				$this->_escapefunc[$name] = $field['_escapefunc'];
 			}
-			else if (preg_match('/^(tiny|small|medium|)int|^float|^double$/', $field['Type']))
-				$this->_convertfunc[$name] = it::match('int', $field['Type']) ? "intval" : "floatval";
+			else if (preg_match('/^(tiny|small|medium|)int/', $field['Type']))
+			{
+				$this->_convertfunc[$name] = "intval";
+				$this->_escapefunc[$name] = static::class . "::escape_int";
+			}
+			else if (preg_match('/^float|^double$/', $field['Type']))
+			{
+				$this->_convertfunc[$name] = "floatval";
+				$this->_escapefunc[$name] = static::class . "::escape_float";
+			}
 		}
 		$this->_fieldnames = "," . implode(",", array_keys((array)$this->_fields)) . ",";
 
@@ -979,6 +1006,7 @@ function _get_field_info()
 		$this->_localizedfields = $state['localizedfields'][$this->_p['table']];
 	}
 
+	$result = array();
 	foreach((array)$this->_fields as $field)
 	{
 		if ($field['Key'] == 'PRI')
-- 
cgit v1.2.3