From 671bf5bff1024a6574089dcbbaa1724c622bf508 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 22 Feb 2010 19:16:03 +0000
Subject: [PATCH] =?UTF-8?q?Fix:=20bug=20#28895=20:=20Cr=E9ation=20d'utilis?=
 =?UTF-8?q?ateur=20impossible.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ChangeLog                           | 1 +
 htdocs/lib/databases/mysql.lib.php  | 4 ++--
 htdocs/lib/databases/mysqli.lib.php | 4 ++--
 htdocs/lib/databases/pgsql.lib.php  | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 87eca13ebe4..8fe1e968571 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -51,6 +51,7 @@ For users:
 - Fix: Running sending-email.php
 - Fix: Warning should not appears for invoice closed
 - Fix: Import for companies works even with prefix empty.
+- Fix: bug #28895 : Création d'utilisateur impossible.
 
 For developers:
 - Qual: Reorganize /dev directory.
diff --git a/htdocs/lib/databases/mysql.lib.php b/htdocs/lib/databases/mysql.lib.php
index c80d5f17361..01e738f1d10 100644
--- a/htdocs/lib/databases/mysql.lib.php
+++ b/htdocs/lib/databases/mysql.lib.php
@@ -999,7 +999,7 @@ class DoliDb
 	{
 		$sql = "INSERT INTO user ";
 		$sql.= "(Host,User,password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
-		$sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_user',password('$dolibarr_main_db_pass')";
+		$sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_user)."',password('".addslashes($dolibarr_main_db_pass)."')";
 		$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
 
 		dol_syslog("mysql.lib::DDLCreateUser", LOG_DEBUG);	// No sql to avoid password in log
@@ -1012,7 +1012,7 @@ class DoliDb
 
 		$sql = "INSERT INTO db ";
 		$sql.= "(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
-		$sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_name','$dolibarr_main_db_user'";
+		$sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_name)."','".addslashes($dolibarr_main_db_user)."'";
 		$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
 
 		dol_syslog("mysql.lib::DDLCreateUser sql=".$sql,LOG_DEBUG);
diff --git a/htdocs/lib/databases/mysqli.lib.php b/htdocs/lib/databases/mysqli.lib.php
index 773d5d88498..58f28fc6dc4 100644
--- a/htdocs/lib/databases/mysqli.lib.php
+++ b/htdocs/lib/databases/mysqli.lib.php
@@ -1011,7 +1011,7 @@ class DoliDb
 	{
 		$sql = "INSERT INTO user ";
 		$sql.= "(Host,User,password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
-		$sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_user',password('$dolibarr_main_db_pass')";
+		$sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_user)."',password('".addslashes($dolibarr_main_db_pass)."')";
 		$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
 
 		dol_syslog("mysqli.lib::DDLCreateUser", LOG_DEBUG);	// No sql to avoid password in log
@@ -1024,7 +1024,7 @@ class DoliDb
 
 		$sql = "INSERT INTO db ";
 		$sql.= "(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
-		$sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_name','$dolibarr_main_db_user'";
+		$sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_name)."','".addslashes($dolibarr_main_db_user)."'";
 		$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
 
 		dol_syslog("mysqli.lib::DDLCreateUser sql=".$sql);
diff --git a/htdocs/lib/databases/pgsql.lib.php b/htdocs/lib/databases/pgsql.lib.php
index 92eeb008d5c..3f54edfc021 100644
--- a/htdocs/lib/databases/pgsql.lib.php
+++ b/htdocs/lib/databases/pgsql.lib.php
@@ -915,7 +915,7 @@ class DoliDb
 	 */
 	function DDLCreateUser($dolibarr_main_db_host,$dolibarr_main_db_user,$dolibarr_main_db_pass,$dolibarr_main_db_name)
 	{
-		$sql = "create user \"".$dolibarr_main_db_user."\" with password '".$dolibarr_main_db_pass."'";
+		$sql = "create user \"".addslashes($dolibarr_main_db_user)."\" with password '".addslashes($dolibarr_main_db_pass)."'";
 
 		dol_syslog("pgsql.lib::DDLCreateUser", LOG_DEBUG);	// No sql to avoid password in log
 		$resql=$this->query($sql);
-- 
GitLab