merge r2483 from branch 1.7

- security fix : when conf['question_mark_in_urls']=true , $_SERVER['PATH_INFO'] was not sanitized against sql injection
- mysql errors are now dumped using trigger_error instead of echo and die -> allow admins to see later on if someone tries funny stuff

git-svn-id: http://piwigo.org/svn/trunk@2484 68402e56-0260-453c-a942-63ccdbb3a9ee

1 files changed, 6 insertions, 4 deletions

diff --git a/include/common.inc.php b/include/common.inc.php
index 2e3d27ee3..d12b8bb70 100644
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -98,6 +98,10 @@ if( !get_magic_quotes_gpc() )
     @reset($_COOKIE);
   }
 }
+if ( !empty($_SERVER["PATH_INFO"]) )
+{
+  $_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
+}
 
 //
 // Define some basic configuration arrays this also prevents malicious
@@ -138,10 +142,8 @@ include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
 include(PHPWG_ROOT_PATH . 'include/template.class.php');
 
 // Database connection
-mysql_connect( $cfgHote, $cfgUser, $cfgPassword )
-or die ( "Could not connect to database server" );
-mysql_select_db( $cfgBase )
-or die ( "Could not connect to database" );
+@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true );
+@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true );
 
 defined('PWG_CHARSET') and defined('DB_CHARSET')
   or die('PWG_CHARSET and/or DB_CHARSET is not defined');