From 7fedb8890abdedded63d0a729115464f7c1852df Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 7 Sep 2009 19:33:21 +0000
Subject: [PATCH] Fix: Serious bug with encrypt and decrypt function.

---
 htdocs/includes/modules/DolibarrModules.class.php |  4 ++--
 htdocs/install/etape5.php                         |  8 ++++----
 htdocs/lib/admin.lib.php                          |  4 ++--
 htdocs/lib/databases/mssql.lib.php                |  6 +++---
 htdocs/lib/databases/mysql.lib.php                | 10 +++++-----
 htdocs/lib/databases/mysqli.lib.php               | 10 +++++-----
 htdocs/lib/databases/pgsql.lib.php                |  6 +++---
 7 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/htdocs/includes/modules/DolibarrModules.class.php b/htdocs/includes/modules/DolibarrModules.class.php
index 9b802896329..862ca219d59 100644
--- a/htdocs/includes/modules/DolibarrModules.class.php
+++ b/htdocs/includes/modules/DolibarrModules.class.php
@@ -386,8 +386,8 @@ class DolibarrModules
 		$this->db->query($sql);
 
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,value,visible,entity) VALUES";
-		$sql.= " (".$this->db->encrypt("'".$this->const_name."'",$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey);
-		$sql.= ",".$this->db->encrypt('1',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey);
+		$sql.= " (".$this->db->encrypt($this->const_name,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1);
+		$sql.= ",".$this->db->encrypt('1',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1);
 		$sql.= ",0,".$entity.")";
 
 		dol_syslog("DolibarrModules::_active sql=".$sql, LOG_DEBUG);
diff --git a/htdocs/install/etape5.php b/htdocs/install/etape5.php
index 16dc008a1e9..7ff8b81c85c 100644
--- a/htdocs/install/etape5.php
+++ b/htdocs/install/etape5.php
@@ -188,7 +188,7 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 				$db->begin();
 
 				dolibarr_install_syslog('install/etape5.php set MAIN_VERSION_LAST_INSTALL const to '.$targetversion, LOG_DEBUG);
-				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_VERSION_LAST_INSTALL'");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_VERSION_LAST_INSTALL'");
 				if (! $resql) dol_print_error($db,'Error in setup program');
 				$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',0,'Dolibarr version when install',0)");
 				if (! $resql) dol_print_error($db,'Error in setup program');
@@ -197,7 +197,7 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 				if ($usedoliwamp)
 				{
 					dolibarr_install_syslog('install/etape5.php set MAIN_REMOVE_INSTALL_WARNING const to 1', LOG_DEBUG);
-					$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_REMOVE_INSTALL_WARNING'");
+					$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_REMOVE_INSTALL_WARNING'");
 					if (! $resql) dol_print_error($db,'Error in setup program');
 					$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt(1,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',1,'Disable install warnings',0)");
 					if (! $resql) dol_print_error($db,'Error in setup program');
@@ -205,7 +205,7 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 				}
 
 				dolibarr_install_syslog('install/etape5.php Remove MAIN_NOT_INSTALLED const', LOG_DEBUG);
-				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_NOT_INSTALLED'");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_NOT_INSTALLED'");
 				if (! $resql) dol_print_error($db,'Error in setup program');
 
 				$db->commit();
@@ -236,7 +236,7 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 			if ($tagdatabase)
 			{
 				dolibarr_install_syslog('install/etape5.php set MAIN_VERSION_LAST_UPGRADE const to value '.$targetversion, LOG_DEBUG);
-				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_VERSION_LAST_UPGRADE'");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_VERSION_LAST_UPGRADE'");
 				if (! $resql) dol_print_error($db,'Error in setup program');
 				$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_UPGRADE',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',0,'Dolibarr version for last upgrade',0)");
 				if (! $resql) dol_print_error($db,'Error in setup program');
diff --git a/htdocs/lib/admin.lib.php b/htdocs/lib/admin.lib.php
index eb6d40745c0..62c28895d5f 100644
--- a/htdocs/lib/admin.lib.php
+++ b/htdocs/lib/admin.lib.php
@@ -390,8 +390,8 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
 	{
 		$sql = "INSERT INTO llx_const(name,value,type,visible,note,entity)";
 		$sql.= " VALUES (";
-		$sql.= $db->encrypt("'".$name."'",$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey);
-		$sql.= ",".$db->encrypt("'".addslashes($value)."'",$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey);
+		$sql.= "'".addslashes($db->encrypt($name,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0))."'";
+		$sql.= ",'".addslashes($db->encrypt($value,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0))."'";
 		$sql.= ",'".$type."',".$visible.",'".addslashes($note)."',".$entity.")";
 
 		dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
diff --git a/htdocs/lib/databases/mssql.lib.php b/htdocs/lib/databases/mssql.lib.php
index 4d6954259e0..fe256d89438 100644
--- a/htdocs/lib/databases/mssql.lib.php
+++ b/htdocs/lib/databases/mssql.lib.php
@@ -696,13 +696,13 @@ class DoliDb
 	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\param			withQuotes		Return string with quotes
 	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $withQuotes=0)
 	{
 		$return = $fieldorvalue;
-		return ($isAValue?"'":"").$return.($isAValue?"'":"");
+		return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
 	}
 
 	/**
diff --git a/htdocs/lib/databases/mysql.lib.php b/htdocs/lib/databases/mysql.lib.php
index 90d2e080f47..2b9ab1edaaf 100644
--- a/htdocs/lib/databases/mysql.lib.php
+++ b/htdocs/lib/databases/mysql.lib.php
@@ -683,10 +683,10 @@ class DoliDb
 	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\param			withQuotes		Return string with quotes
 	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $withQuotes=0)
 	{
 		$return = $fieldorvalue;
 
@@ -694,15 +694,15 @@ class DoliDb
 		{
 			if ($cryptType == 2)
 			{
-				$return = 'AES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
+				$return = 'AES_ENCRYPT('.($withQuotes?"'":"").$fieldorvalue.($withQuotes?"'":"").',\''.$cryptKey.'\')';
 			}
 			else if ($cryptType == 1)
 			{
-				$return = 'DES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
+				$return = 'DES_ENCRYPT('.($withQuotes?"'":"").$fieldorvalue.($withQuotes?"'":"").',\''.$cryptKey.'\')';
 			}
 		}
 
-		return ($isAValue?"'":"").$return.($isAValue?"'":"");
+		return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
 	}
 
 	/**
diff --git a/htdocs/lib/databases/mysqli.lib.php b/htdocs/lib/databases/mysqli.lib.php
index 0414af9a5aa..fd62e6feb51 100644
--- a/htdocs/lib/databases/mysqli.lib.php
+++ b/htdocs/lib/databases/mysqli.lib.php
@@ -693,10 +693,10 @@ class DoliDb
 	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\param			withQuotes		Return string with quotes
 	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $withQuotes=0)
 	{
 		$return = $fieldorvalue;
 
@@ -704,15 +704,15 @@ class DoliDb
 		{
 			if ($cryptType == 2)
 			{
-				$return = 'AES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
+				$return = 'AES_ENCRYPT('.($withQuotes?"'":"").$fieldorvalue.($withQuotes?"'":"").',\''.$cryptKey.'\')';
 			}
 			else if ($cryptType == 1)
 			{
-				$return = 'DES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
+				$return = 'DES_ENCRYPT('.($withQuotes?"'":"").$fieldorvalue.($withQuotes?"'":"").',\''.$cryptKey.'\')';
 			}
 		}
 
-		return ($isAValue?"'":"").$return.($isAValue?"'":"");
+		return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
 	}
 
 	/**
diff --git a/htdocs/lib/databases/pgsql.lib.php b/htdocs/lib/databases/pgsql.lib.php
index 8880e44c796..b4a98e45457 100644
--- a/htdocs/lib/databases/pgsql.lib.php
+++ b/htdocs/lib/databases/pgsql.lib.php
@@ -787,13 +787,13 @@ class DoliDb
 	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\param			withQuotes		Return string with quotes
 	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $withQuotes=0)
 	{
 		$return = $fieldorvalue;
-		return ($isAValue?"'":"").$return.($isAValue?"'":"");
+		return ($withQuotes?"'":"").$return.($withQuotes?"'":"");
 	}
 
 
-- 
GitLab