Bug 285740: DBD::Pg must have the PG_BYTEA type specified for inserting BLOBs

Patch By Max Kanat-Alexander <mkanat@kerio.com> r=Tomas.Kopal, a=justdave

webtools/bugzilla/Bugzilla/DB.pm

@@ -51,6 +51,16 @@ use Bugzilla::Error;
 use Bugzilla::DB::Schema;
 use Bugzilla::User;
 
+#####################################################################
+# Constants
+#####################################################################
+
+use constant BLOB_TYPE => DBI::SQL_BLOB;
+
+#####################################################################
+# Deprecated Functions
+#####################################################################
+
 # All this code is backwards compat fu. As such, its a bit ugly. Note the
 # circular dependencies on Bugzilla.pm
 # This is old cruft which will be removed, so theres not much use in
@@ -787,6 +797,11 @@ constants are required to be subroutines or "use constant" variables.
 
 =over 4
 
+=item C<BLOB_TYPE>
+
+The C<\%attr> argument that must be passed to bind_param in order to 
+correctly escape a C<LONGBLOB> type.
+
 =item C<REQUIRED_VERSION>
 
 This is the minimum required version of the database server that the

webtools/bugzilla/Bugzilla/DB/Pg.pm

@@ -42,10 +42,12 @@ package Bugzilla::DB::Pg;
 use strict;
 
 use Bugzilla::Error;
+use DBD::Pg;
 
 # This module extends the DB interface via inheritance
 use base qw(Bugzilla::DB);
 
+use constant BLOB_TYPE => { pg_type => DBD::Pg::PG_BYTEA };
 use constant REQUIRED_VERSION => '7.03.0000';
 use constant PROGRAM_NAME => 'PostgreSQL';
 use constant MODULE_NAME  => 'Pg';

webtools/bugzilla/attachment.cgi

@@ -913,7 +913,6 @@ sub insert
   $filename = SqlQuote($filename);
   my $description = SqlQuote($::FORM{'description'});
   my $contenttype = SqlQuote($::FORM{'contenttype'});
-  my $thedata = SqlQuote($data);
   my $isprivate = $::FORM{'isprivate'} ? 1 : 0;
 
   # Figure out when the changes were made.
@@ -921,8 +920,17 @@ sub insert
   my $sql_timestamp = SqlQuote($timestamp); 
 
   # Insert the attachment into the database.
-  SendSQL("INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id, thedata) 
-           VALUES ($::FORM{'bugid'}, $sql_timestamp, $filename, $description, $contenttype, $::FORM{'ispatch'}, $isprivate, $::userid, $thedata)");
+  my $sth = $dbh->prepare("INSERT INTO attachments
+      (thedata, bug_id, creation_ts, filename, description,
+       mimetype, ispatch, isprivate, submitter_id) 
+      VALUES (?, $::FORM{'bugid'}, $sql_timestamp, $filename, 
+              $description, $contenttype, $::FORM{'ispatch'},
+              $isprivate, $::userid)");
+  # We only use $data here in this INSERT with a placeholder,
+  # so it's safe.
+  trick_taint($data);
+  $sth->bind_param(1, $data, $dbh->BLOB_TYPE);
+  $sth->execute();
 
   # Retrieve the ID of the newly created attachment record.
   my $attachid = $dbh->bz_last_key('attachments', 'attach_id');