From c7144ce138d8115505434d07fa66e0c79245c5c0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 7 Sep 2009 14:03:19 +0000
Subject: [PATCH] Fix: Serious bug with encrypt and decrypt function.

---
 htdocs/install/etape5.php           | 24 ++++++++-----
 htdocs/lib/databases/mssql.lib.php  | 35 ++++++++++++++++---
 htdocs/lib/databases/mysql.lib.php  | 15 ++++----
 htdocs/lib/databases/mysqli.lib.php | 24 ++++++-------
 htdocs/lib/databases/pgsql.lib.php  | 54 +++++++----------------------
 5 files changed, 79 insertions(+), 73 deletions(-)

diff --git a/htdocs/install/etape5.php b/htdocs/install/etape5.php
index 17278c54053..16dc008a1e9 100644
--- a/htdocs/install/etape5.php
+++ b/htdocs/install/etape5.php
@@ -188,20 +188,25 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 				$db->begin();
 
 				dolibarr_install_syslog('install/etape5.php set MAIN_VERSION_LAST_INSTALL const to '.$targetversion, LOG_DEBUG);
-				$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_VERSION_LAST_INSTALL'");
-				$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",'chaine',0,'Dolibarr version when install',0)");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_VERSION_LAST_INSTALL'");
+				if (! $resql) dol_print_error($db,'Error in setup program');
+				$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',0,'Dolibarr version when install',0)");
+				if (! $resql) dol_print_error($db,'Error in setup program');
 				$conf->global->MAIN_VERSION_LAST_INSTALL=$targetversion;
 
 				if ($usedoliwamp)
 				{
 					dolibarr_install_syslog('install/etape5.php set MAIN_REMOVE_INSTALL_WARNING const to 1', LOG_DEBUG);
-					$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_REMOVE_INSTALL_WARNING'");
-					$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",".$db->encrypt(1,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",'chaine',1,'Disable install warnings',0)");
+					$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_REMOVE_INSTALL_WARNING'");
+					if (! $resql) dol_print_error($db,'Error in setup program');
+					$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt(1,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',1,'Disable install warnings',0)");
+					if (! $resql) dol_print_error($db,'Error in setup program');
 					$conf->global->MAIN_REMOVE_INSTALL_WARNING=1;
 				}
 
 				dolibarr_install_syslog('install/etape5.php Remove MAIN_NOT_INSTALLED const', LOG_DEBUG);
-				$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_NOT_INSTALLED'");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_NOT_INSTALLED'");
+				if (! $resql) dol_print_error($db,'Error in setup program');
 
 				$db->commit();
 			}
@@ -231,8 +236,10 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 			if ($tagdatabase)
 			{
 				dolibarr_install_syslog('install/etape5.php set MAIN_VERSION_LAST_UPGRADE const to value '.$targetversion, LOG_DEBUG);
-				$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey)."='MAIN_VERSION_LAST_UPGRADE'");
-				$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_UPGRADE',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",'chaine',0,'Dolibarr version for last upgrade',0)");
+				$resql=$db->query("DELETE FROM llx_const WHERE ".$db->decrypt('name',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,0)."='MAIN_VERSION_LAST_UPGRADE'");
+				if (! $resql) dol_print_error($db,'Error in setup program');
+				$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_UPGRADE',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt($targetversion,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',0,'Dolibarr version for last upgrade',0)");
+				if (! $resql) dol_print_error($db,'Error in setup program');
 				$conf->global->MAIN_VERSION_LAST_UPGRADE=$targetversion;
 			}
 			else
@@ -251,7 +258,8 @@ if ($_POST["action"] == "set" || eregi('upgrade',$_POST["action"]))
 	}
 
 	// May fail if parameter already defined
-	$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_LANG_DEFAULT',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",".$db->encrypt($setuplang,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey).",'chaine',0,'Default language',1)");
+	$resql=$db->query("INSERT INTO llx_const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_LANG_DEFAULT',$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",".$db->encrypt($setuplang,$conf->db->dolibarr_main_db_encryption,$conf->db->dolibarr_main_db_cryptkey,1).",'chaine',0,'Default language',1)");
+	//if (! $resql) dol_print_error($db,'Error in setup program');
 
 	print '</table>';
 
diff --git a/htdocs/lib/databases/mssql.lib.php b/htdocs/lib/databases/mssql.lib.php
index 78be280c789..4d6954259e0 100644
--- a/htdocs/lib/databases/mssql.lib.php
+++ b/htdocs/lib/databases/mssql.lib.php
@@ -691,16 +691,41 @@ class DoliDb
 		}
 	}
 
+	/**
+	 *	\brief          Encrypt sensitive data in database
+	 *	\param	        fieldorvalue	Field name or value to encrypt
+	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
+	 * 	\param			cryptKey		Encryption key
+	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
+	 */
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
+	{
+		$return = $fieldorvalue;
+		return ($isAValue?"'":"").$return.($isAValue?"'":"");
+	}
+
+	/**
+	 *	\brief          Decrypt sensitive data in database
+	 *	\param	        field			Field name to decrypt
+	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
+	 * 	\param			cryptKey		Encryption key
+	 * 	\return	        return			Field to decrypt if used
+	 */
+	function decrypt($field, $cryptType=0, $cryptKey='')
+	{
+		$return = $field;
+		return $return;
+	}
+
 
 	// Next function are not required. Only minor features use them.
 	//--------------------------------------------------------------
 
-
-
 	/**
-		\brief          Renvoie l'id de la connexion
-		\return	        string      Id connexion
-		*/
+	 *	\brief          Renvoie l'id de la connexion
+	 *	\return	        string      Id connexion
+	 */
 	function DDLGetConnectId()
 	{
 		$resql=$this->query('SELECT CONNECTION_ID()');
diff --git a/htdocs/lib/databases/mysql.lib.php b/htdocs/lib/databases/mysql.lib.php
index 7e4c314e61e..90d2e080f47 100644
--- a/htdocs/lib/databases/mysql.lib.php
+++ b/htdocs/lib/databases/mysql.lib.php
@@ -680,28 +680,29 @@ class DoliDb
 
 	/**
 	 *	\brief          Encrypt sensitive data in database
-	 *	\param	        field			Field name to encrypt
+	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\return	        return			Field to encrypt if used
+	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($field, $cryptType=0, $cryptKey='')
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
 	{
-		$return = $field;
+		$return = $fieldorvalue;
 
 		if ($cryptType && !empty($cryptKey))
 		{
 			if ($cryptType == 2)
 			{
-				$return = 'AES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
+				$return = 'AES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
 			}
 			else if ($cryptType == 1)
 			{
-				$return = 'DES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
+				$return = 'DES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
 			}
 		}
 
-		return $return;
+		return ($isAValue?"'":"").$return.($isAValue?"'":"");
 	}
 
 	/**
diff --git a/htdocs/lib/databases/mysqli.lib.php b/htdocs/lib/databases/mysqli.lib.php
index b99f00e484e..0414af9a5aa 100644
--- a/htdocs/lib/databases/mysqli.lib.php
+++ b/htdocs/lib/databases/mysqli.lib.php
@@ -688,35 +688,31 @@ class DoliDb
 		return mysqli_insert_id($this->db);
 	}
 
-
-
-	// Next functions are not required. Only minor features use them.
-	//---------------------------------------------------------------
-
 	/**
 	 *	\brief          Encrypt sensitive data in database
-	 *	\param	        field			Field name to encrypt
+	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\return	        return			Field to encrypt if used
+	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($field, $cryptType=0, $cryptKey='')
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
 	{
-		$return = $field;
+		$return = $fieldorvalue;
 
 		if ($cryptType && !empty($cryptKey))
 		{
 			if ($cryptType == 2)
 			{
-				$return = 'AES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
+				$return = 'AES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
 			}
 			else if ($cryptType == 1)
 			{
-				$return = 'DES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
+				$return = 'DES_ENCRYPT('.($isAValue?"'":"").$fieldorvalue.($isAValue?"'":"").',\''.$cryptKey.'\')';
 			}
 		}
 
-		return $return;
+		return ($isAValue?"'":"").$return.($isAValue?"'":"");
 	}
 
 	/**
@@ -745,6 +741,10 @@ class DoliDb
 		return $return;
 	}
 
+
+	// Next functions are not required. Only minor features use them.
+	//---------------------------------------------------------------
+
 	/**
 	 *	\brief          Renvoie l'id de la connexion
 	 *	\return	        string      Id connexion
diff --git a/htdocs/lib/databases/pgsql.lib.php b/htdocs/lib/databases/pgsql.lib.php
index 61e9fdcb205..8880e44c796 100644
--- a/htdocs/lib/databases/pgsql.lib.php
+++ b/htdocs/lib/databases/pgsql.lib.php
@@ -782,68 +782,40 @@ class DoliDb
         return $row;
     }
 
-	// Next function are not required. Only minor features use them.
-	//--------------------------------------------------------------
-
 	/**
 	 *	\brief          Encrypt sensitive data in database
-	 *	\param	        field			Field name to encrypt
+	 *	\param	        fieldorvalue	Field name or value to encrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
-	 * 	\return	        return			Field to encrypt if used
-	 * TODO modifier pour postgresql
+	 * 	\param			isAValue		String in field can be a field name or a value
+	 * 	\return	        return			XXX(field) or XXX('value') or field or 'value'
 	 */
-	function encrypt($field, $cryptType=0, $cryptKey='')
+	function encrypt($fieldorvalue, $cryptType=0, $cryptKey='', $isAValue=0)
 	{
-		/*
-		$return = $field;
-
-		if ($cryptType && !empty($cryptKey))
-		{
-			if ($cryptType == 2)
-			{
-				$return = 'AES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
-			}
-			else if ($cryptType == 1)
-			{
-				$return = 'DES_ENCRYPT('.$field.',\''.$cryptKey.'\')';
-			}
-		}
-
-		return $return;
-		*/
+		$return = $fieldorvalue;
+		return ($isAValue?"'":"").$return.($isAValue?"'":"");
 	}
 
+
 	/**
 	 *	\brief          Decrypt sensitive data in database
 	 *	\param	        field			Field name to decrypt
 	 * 	\param			cryptType		Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
 	 * 	\param			cryptKey		Encryption key
 	 * 	\return	        return			Field to decrypt if used
-	 * TODO modifier pour postgresql
 	 */
 	function decrypt($field, $cryptType=0, $cryptKey='')
 	{
-		/*
 		$return = $field;
-
-		if ($cryptType && !empty($cryptKey))
-		{
-			if ($cryptType == 2)
-			{
-				$return = 'AES_DECRYPT('.$field.',\''.$cryptKey.'\')';
-			}
-			else if ($cryptType == 1)
-			{
-				$return = 'DES_DECRYPT('.$field.',\''.$cryptKey.'\')';
-			}
-		}
-
 		return $return;
-		*/
 	}
 
-    /**
+
+	// Next function are not required. Only minor features use them.
+	//--------------------------------------------------------------
+
+
+	/**
      * \brief          Renvoie l'id de la connexion
      * \return	        string      Id connexion
      */