Index: t3lib/class.t3lib_userauth.php
===================================================================
--- t3lib/class.t3lib_userauth.php	(revision 8664)
+++ t3lib/class.t3lib_userauth.php	(working copy)
@@ -772,9 +772,14 @@
 		if ($this->writeDevLog) 	t3lib_div::devLog('Fetch session ses_id = '.$this->id, 't3lib_userAuth');
 
 			// fetch the user session from the DB
-		$dbres = $this->fetchUserSessionFromDB();
+		$statement = $this->fetchUserSessionFromDB();
+		if ($statement) {
+			$statement->execute();
+			$user = $statement->fetch();
+			$statement->free();
+		}
 
-		if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
+		if ($statement && $user) {
 				// A user was found
 			if (is_string($this->auth_timeout_field))	{
 				$timeout = intval($user[$this->auth_timeout_field]);		// Get timeout-time from usertable
@@ -849,12 +854,16 @@
 	 * @return	boolean		Returns true if a corresponding session was found in the database
 	 */
 	function isExistingSessionRecord($id) {
-		$count = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
-						'ses_id',
-						$this->session_table,
-						'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, $this->session_table)
-					);
-		return (($count ? true : false));
+		$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
+			'COUNT(*)',
+			$this->session_table,
+			'ses_id = :ses_id'
+		);
+		$statement->execute(array(':ses_id' => $id));
+		$row = $statement->fetch(t3lib_db_PreparedStatement::FETCH_NUM);
+		$statement->free();
+
+		return (($row[0] ? TRUE : FALSE));
 	}
 
 
@@ -882,40 +891,50 @@
 	 * then don't evaluate with the hashLockClause, as the client/browser is included in this hash

 	 * and thus, the flash request would be rejected
 	 *
-	 * @return DB result object or false on error
+	 * @return t3lib_db_PreparedStatement
 	 * @access private
 	 */
 	protected function fetchUserSessionFromDB() {
+		$statement = null;
+		$ipLockClause = $this->ipLockClause();
 
 		if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
 			// if on the flash client, the veri code is valid, then the user session is fetched
 			// from the DB without the hashLock clause
 			if (t3lib_div::_GP('vC') == $this->veriCode()) {
-				$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-						'*',
-						$this->session_table.','.$this->user_table,
-						$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
-							AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
-							AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
-							'.$this->ipLockClause().'
-							'.$this->user_where_clause()
+				$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
+					'*',
+					$this->session_table . ',' . $this->user_table,
+					$this->session_table . '.ses_id = :ses_id
+						AND ' . $this->session_table . '.ses_name = :ses_name
+						AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . '
+						' . $ipLockClause['where'] . '
+						' . $this->user_where_clause()
 				);
-			} else {
-				$dbres = false;
+				$statement->bindValues(array(
+					':ses_id'     => $this->id,
+					':ses_name'   => $this->name,
+				));
+				$statement->bindValues($ipLockClause['parameters']);
 			}
 		} else {
-			$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-					'*',
-					$this->session_table.','.$this->user_table,
-					$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
-						AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
-						AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
-						'.$this->ipLockClause().'
-						'.$this->hashLockClause().'
-						'.$this->user_where_clause()
+			$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
+				'*',
+				$this->session_table . ',' . $this->user_table,
+				$this->session_table . '.ses_id = :ses_id
+					AND ' . $this->session_table . '.ses_name = :ses_name
+					AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . '
+					' . $ipLockClause['where'] . '
+					' . $this->hashLockClause() . '
+					' . $this->user_where_clause()
 			);
+			$statement->bindValues(array(
+				':ses_id'     => $this->id,
+				':ses_name'   => $this->name,
+			));
+			$statement->bindValues($ipLockClause['parameters']);
 		}
-		return $dbres;
+		return $statement;
 	}
 
 
@@ -925,7 +944,7 @@
 	 * @return	string
 	 * @access private
 	 */
-	function user_where_clause()	{
+	protected function user_where_clause() {
 		return  (($this->enablecolumns['rootLevel']) ? 'AND '.$this->user_table.'.pid=0 ' : '').
 				(($this->enablecolumns['disabled']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['disabled'].'=0' : '').
 				(($this->enablecolumns['deleted']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['deleted'].'=0' : '').
@@ -934,19 +953,26 @@
 	}
 
 	/**
-	 * This returns the where-clause needed to lock a user to the IP address
+	 * This returns the where prepared statement-clause needed to lock a user to the IP address
 	 *
-	 * @return	string
+	 * @return array
 	 * @access private
 	 */
-	function ipLockClause()	{
+	protected function ipLockClause() {
+		$statementClause = array(
+			'where' => '',
+			'parameters' => array(),
+		);
 		if ($this->lockIP)	{
-			$wherePart = 'AND (
-				'.$this->session_table.'.ses_iplock='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->ipLockClause_remoteIPNumber($this->lockIP),$this->session_table).'
-				OR '.$this->session_table.'.ses_iplock=\'[DISABLED]\'
+			$statementClause['where'] = 'AND (
+				' . $this->session_table . '.ses_iplock = :ses_iplock
+				OR ' . $this->session_table . '.ses_iplock=\'[DISABLED]\'
 				)';
-			return $wherePart;
+			$statementClause['parameters'] = array(
+				':ses_iplock' => $this->ipLockClause_remoteIPNumber($this->lockIP),
+			);
 		}
+		return $statementClause;
 	}
 
 	/**
@@ -957,7 +983,7 @@
 	 * @return	string		(Partial) IP address for REMOTE_ADDR
 	 * @access private
 	 */
-	function ipLockClause_remoteIPNumber($parts)	{
+	protected function ipLockClause_remoteIPNumber($parts) {
 		$IP = t3lib_div::getIndpEnv('REMOTE_ADDR');
 
 		if ($parts>=4)	{
@@ -988,7 +1014,7 @@
 	 * @return	string
 	 * @access private
 	 */
-	function hashLockClause()	{
+	protected function hashLockClause() {
 		$wherePart = 'AND '.$this->session_table.'.ses_hashlock='.intval($this->hashLockClause_getHashInt());
 		return $wherePart;
 	}
@@ -999,7 +1025,7 @@
 	 * @return	integer		Hash integer
 	 * @access private
 	 */
-	function hashLockClause_getHashInt()	{
+	protected function hashLockClause_getHashInt() {
 		$hashStr = '';
 
 		if (t3lib_div::inList($this->lockHashKeyWords,'useragent'))	$hashStr.=':'.t3lib_div::getIndpEnv('HTTP_USER_AGENT');
Index: typo3/sysext/cms/tslib/class.tslib_feuserauth.php
===================================================================
--- typo3/sysext/cms/tslib/class.tslib_feuserauth.php	(revision 8664)
+++ typo3/sysext/cms/tslib/class.tslib_feuserauth.php	(working copy)
@@ -370,12 +370,17 @@
 	function fetchSessionData()	{
 			// Gets SesData if any AND if not already selected by session fixation check in ->isExistingSessionRecord()
 		if ($this->id && !count($this->sesData)) {
-			$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'fe_session_data', 'hash='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
-			if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres))	{
+			$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
+				'*',
+				'fe_session_data',
+				'hash = :hash'
+			);
+			$statement->execute(array(':hash' => $this->id));
+			if (($sesDataRow = $statement->fetch()) !== FALSE) {
 				$this->sesData = unserialize($sesDataRow['content']);
 				$this->sessionDataTimestamp = $sesDataRow['tstamp'];
 			}
-			$GLOBALS['TYPO3_DB']->sql_free_result($dbres);
+			$statement->free();
 		}
 	}
 
@@ -531,17 +536,18 @@
 
 			// Check if there are any fe_session_data records for the session ID the client claims to have
 		if ($count == false) {
-			$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-							'content',
-							'fe_session_data',
-							'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, 'fe_session_data')
-						);
-			if ($dbres !== false) {
-				if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
+			$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
+				'content',
+				'fe_session_data',
+				'hash = :hash'
+			);
+			$res = $statement->execute(array(':hash' => $id));
+			if ($res !== FALSE) {
+				if ($sesDataRow = $statement->fetch()) {
 					$count = true;
 					$this->sesData = unserialize($sesDataRow['content']);
 				}
-				$GLOBALS['TYPO3_DB']->sql_free_result($dbres);
+				$statement->free();
 			}
 		}