keith/friendica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #7175 from annando/db-table-escape

Browse source 
Fix table name sanitation / enable table schemes
This commit is contained in:
Hypolite Petovan 2019-05-21 16:56:56 -04:00 committed by GitHub
commit 80f9487216
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
src/Database/DBA.php
View file

@ -288,6 +288,19 @@ class DBA
} }
} }
/**
* Removes every not whitelisted character from the identifier string
*
* @param string $identifier
*
* @return string sanitized identifier
* @throws \Exception
*/
private static function sanitizeIdentifier($identifier)
{
return preg_replace('/[^A-Za-z0-9_\-]+/', '', $identifier);
}
public static function escape($str) { public static function escape($str) {
if (self::$connected) { if (self::$connected) {
switch (self::$driver) { switch (self::$driver) {
@ -872,6 +885,29 @@ class DBA
return $columns; return $columns;
} }
/**
* @brief Insert a row into a table
*
* @param string/array $table Table name
*
* @return string formatted and sanitzed table name
* @throws \Exception
*/
public static function formatTableName($table)
{
if (is_string($table)) {
return "`" . self::sanitizeIdentifier($table) . "`";
}
if (!is_array($table)) {
return '';
}
$scheme = key($table);
return "`" . self::sanitizeIdentifier($scheme) . "`.`" . self::sanitizeIdentifier($table[$scheme]) . "`";
}
/** /**
* @brief Insert a row into a table * @brief Insert a row into a table
* *
@ -889,7 +925,7 @@ class DBA
return false; return false;
} }
$sql = "INSERT INTO `".self::escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (". $sql = "INSERT INTO " . self::formatTableName($table) . " (`".implode("`, `", array_keys($param))."`) VALUES (".
substr(str_repeat("?, ", count($param)), 0, -2).")"; substr(str_repeat("?, ", count($param)), 0, -2).")";
if ($on_duplicate_update) { if ($on_duplicate_update) {
@ -938,7 +974,7 @@ class DBA
self::$connection->autocommit(false); self::$connection->autocommit(false);
} }
$success = self::e("LOCK TABLES `".self::escape($table)."` WRITE"); $success = self::e("LOCK TABLES " . self::formatTableName($table) ." WRITE");
if (self::$driver == 'pdo') { if (self::$driver == 'pdo') {
self::$connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); self::$connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
@ -1119,7 +1155,7 @@ class DBA
$callstack[$key] = true; $callstack[$key] = true;
$table = self::escape($table); $table = self::sanitizeIdentifier($table);
$commands[$key] = ['table' => $table, 'conditions' => $conditions]; $commands[$key] = ['table' => $table, 'conditions' => $conditions];
@ -1272,8 +1308,6 @@ class DBA
return false; return false;
} }
$table = self::escape($table);
$condition_string = self::buildCondition($condition); $condition_string = self::buildCondition($condition);
if (is_bool($old_fields)) { if (is_bool($old_fields)) {
@ -1306,7 +1340,7 @@ class DBA
return true; return true;
} }
$sql = "UPDATE `".$table."` SET `". $sql = "UPDATE ". self::formatTableName($table) . " SET `".
implode("` = ?, `", array_keys($fields))."` = ?".$condition_string; implode("` = ?, `", array_keys($fields))."` = ?".$condition_string;
$params1 = array_values($fields); $params1 = array_values($fields);
@ -1367,12 +1401,10 @@ class DBA
*/ */
public static function select($table, array $fields = [], array $condition = [], array $params = []) public static function select($table, array $fields = [], array $condition = [], array $params = [])
{ {
if ($table == '') { if (empty($table)) {
return false; return false;
} }
$table = self::escape($table);
if (count($fields) > 0) { if (count($fields) > 0) {
$select_fields = "`" . implode("`, `", array_values($fields)) . "`"; $select_fields = "`" . implode("`, `", array_values($fields)) . "`";
} else { } else {
@ -1383,7 +1415,7 @@ class DBA
$param_string = self::buildParameter($params); $param_string = self::buildParameter($params);
$sql = "SELECT " . $select_fields . " FROM `" . $table . "`" . $condition_string . $param_string; $sql = "SELECT " . $select_fields . " FROM " . self::formatTableName($table) . $condition_string . $param_string;
$result = self::p($sql, $condition); $result = self::p($sql, $condition);
@ -1410,13 +1442,13 @@ class DBA
*/ */
public static function count($table, array $condition = []) public static function count($table, array $condition = [])
{ {
if ($table == '') { if (empty($table)) {
return false; return false;
} }
$condition_string = self::buildCondition($condition); $condition_string = self::buildCondition($condition);
$sql = "SELECT COUNT(*) AS `count` FROM `".$table."`".$condition_string; $sql = "SELECT COUNT(*) AS `count` FROM " . self::formatTableName($table) . $condition_string;
$row = self::fetchFirst($sql, $condition); $row = self::fetchFirst($sql, $condition);