Merge pull request #7174 from MrPetovan/task/dba-quote-identifiers
DBA: Correctly escape identifier names
This commit is contained in:
commit
70ba9e5e0c
|
@ -180,8 +180,8 @@ class DBA extends BaseObject
|
|||
/**
|
||||
* @brief Check if data exists
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $condition array of fields for condition
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $condition array of fields for condition
|
||||
*
|
||||
* @return boolean Are there rows for that condition?
|
||||
* @throws \Exception
|
||||
|
@ -253,9 +253,9 @@ class DBA extends BaseObject
|
|||
/**
|
||||
* @brief Insert a row into a table
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $param parameter array
|
||||
* @param bool $on_duplicate_update Do an update on a duplicate entry
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $param parameter array
|
||||
* @param bool $on_duplicate_update Do an update on a duplicate entry
|
||||
*
|
||||
* @return boolean was the insert successful?
|
||||
* @throws \Exception
|
||||
|
@ -280,7 +280,7 @@ class DBA extends BaseObject
|
|||
*
|
||||
* This function can be extended in the future to accept a table array as well.
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
*
|
||||
* @return boolean was the lock successful?
|
||||
* @throws \Exception
|
||||
|
@ -369,7 +369,7 @@ class DBA extends BaseObject
|
|||
* Only set $old_fields to a boolean value when you are sure that you will update a single row.
|
||||
* When you set $old_fields to "true" then $fields must contain all relevant fields!
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields contains the fields that are updated
|
||||
* @param array $condition condition array with the key values
|
||||
* @param array|boolean $old_fields array with the old field values that are about to be replaced (true = update on duplicate)
|
||||
|
@ -386,10 +386,10 @@ class DBA extends BaseObject
|
|||
* Retrieve a single record from a table and returns it in an associative array
|
||||
*
|
||||
* @brief Retrieve a single record from a table
|
||||
* @param string $table
|
||||
* @param array $fields
|
||||
* @param array $condition
|
||||
* @param array $params
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields
|
||||
* @param array $condition
|
||||
* @param array $params
|
||||
* @return bool|array
|
||||
* @throws \Exception
|
||||
* @see self::select
|
||||
|
@ -402,10 +402,10 @@ class DBA extends BaseObject
|
|||
/**
|
||||
* @brief Select rows from a table and fills an array with the data
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
*
|
||||
* @return array Data array
|
||||
* @throws \Exception
|
||||
|
@ -419,10 +419,10 @@ class DBA extends BaseObject
|
|||
/**
|
||||
* @brief Select rows from a table
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
*
|
||||
* @return boolean|object
|
||||
*
|
||||
|
@ -447,8 +447,8 @@ class DBA extends BaseObject
|
|||
/**
|
||||
* @brief Counts the rows from a table satisfying the provided condition
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $condition array of fields for condition
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $condition array of fields for condition
|
||||
*
|
||||
* @return int
|
||||
*
|
||||
|
@ -467,6 +467,47 @@ class DBA extends BaseObject
|
|||
return self::getClass(Database::class)->count($table, $condition);
|
||||
}
|
||||
|
||||
/**
|
||||
* Build the table query substring from one or more tables, with or without a schema.
|
||||
*
|
||||
* Expected formats:
|
||||
* - table
|
||||
* - [table1, table2, ...]
|
||||
* - [schema1 => table1, schema2 => table2, table3, ...]
|
||||
*
|
||||
* @param string|array $tables
|
||||
* @return string
|
||||
*/
|
||||
public static function buildTableString($tables)
|
||||
{
|
||||
if (is_string($tables)) {
|
||||
$tables = [$tables];
|
||||
}
|
||||
|
||||
$quotedTables = [];
|
||||
|
||||
foreach ($tables as $schema => $table) {
|
||||
if (is_numeric($schema)) {
|
||||
$quotedTables[] = self::quoteIdentifier($table);
|
||||
} else {
|
||||
$quotedTables[] = self::quoteIdentifier($schema) . '.' . self::quoteIdentifier($table);
|
||||
}
|
||||
}
|
||||
|
||||
return implode(', ', $quotedTables);
|
||||
}
|
||||
|
||||
/**
|
||||
* Escape an identifier (table or field name)
|
||||
*
|
||||
* @param $identifier
|
||||
* @return string
|
||||
*/
|
||||
public static function quoteIdentifier($identifier)
|
||||
{
|
||||
return '`' . str_replace('`', '``', $identifier) . '`';
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Returns the SQL condition string built from the provided condition array
|
||||
*
|
||||
|
@ -527,12 +568,12 @@ class DBA extends BaseObject
|
|||
|
||||
$new_values = array_merge($new_values, array_values($value));
|
||||
$placeholders = substr(str_repeat("?, ", count($value)), 0, -2);
|
||||
$condition_string .= "`" . $field . "` IN (" . $placeholders . ")";
|
||||
$condition_string .= self::quoteIdentifier($field) . " IN (" . $placeholders . ")";
|
||||
} elseif (is_null($value)) {
|
||||
$condition_string .= "`" . $field . "` IS NULL";
|
||||
$condition_string .= self::quoteIdentifier($field) . " IS NULL";
|
||||
} else {
|
||||
$new_values[$field] = $value;
|
||||
$condition_string .= "`" . $field . "` = ?";
|
||||
$condition_string .= self::quoteIdentifier($field) . " = ?";
|
||||
}
|
||||
}
|
||||
$condition_string = " WHERE (" . $condition_string . ")";
|
||||
|
@ -552,12 +593,8 @@ class DBA extends BaseObject
|
|||
public static function buildParameter(array $params = [])
|
||||
{
|
||||
$groupby_string = '';
|
||||
if (isset($params['group_by'])) {
|
||||
$groupby_string = " GROUP BY ";
|
||||
foreach ($params['group_by'] as $fields) {
|
||||
$groupby_string .= "`" . $fields . "`, ";
|
||||
}
|
||||
$groupby_string = substr($groupby_string, 0, -2);
|
||||
if (!empty($params['group_by'])) {
|
||||
$groupby_string = " GROUP BY " . implode(', ', array_map(['self', 'quoteIdentifier'], $params['group_by']));
|
||||
}
|
||||
|
||||
$order_string = '';
|
||||
|
@ -567,9 +604,9 @@ class DBA extends BaseObject
|
|||
if ($order === 'RAND()') {
|
||||
$order_string .= "RAND(), ";
|
||||
} elseif (!is_int($fields)) {
|
||||
$order_string .= "`" . $fields . "` " . ($order ? "DESC" : "ASC") . ", ";
|
||||
$order_string .= self::quoteIdentifier($fields) . " " . ($order ? "DESC" : "ASC") . ", ";
|
||||
} else {
|
||||
$order_string .= "`" . $order . "`, ";
|
||||
$order_string .= self::quoteIdentifier($order) . ", ";
|
||||
}
|
||||
}
|
||||
$order_string = substr($order_string, 0, -2);
|
||||
|
|
|
@ -40,16 +40,19 @@ class DBStructure
|
|||
*/
|
||||
public static function convertToInnoDB()
|
||||
{
|
||||
$r = q("SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `engine` = 'MyISAM' AND `table_schema` = '%s'",
|
||||
DBA::escape(DBA::databaseName()));
|
||||
$tables = DBA::selectToArray(
|
||||
['information_schema' => 'tables'],
|
||||
['table_name'],
|
||||
['engine' => 'MyISAM', 'table_schema' => DBA::databaseName()]
|
||||
);
|
||||
|
||||
if (!DBA::isResult($r)) {
|
||||
if (!DBA::isResult($tables)) {
|
||||
echo L10n::t('There are no tables on MyISAM.') . "\n";
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($r AS $table) {
|
||||
$sql = sprintf("ALTER TABLE `%s` engine=InnoDB;", DBA::escape($table['TABLE_NAME']));
|
||||
foreach ($tables AS $table) {
|
||||
$sql = "ALTER TABLE " . DBA::quoteIdentifier($table['TABLE_NAME']) . " engine=InnoDB;";
|
||||
echo $sql . "\n";
|
||||
|
||||
$result = DBA::e($sql);
|
||||
|
@ -817,7 +820,7 @@ class DBStructure
|
|||
/**
|
||||
* Check if a table exists
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param string|array $table Table name
|
||||
*
|
||||
* @return boolean Does the table exist?
|
||||
* @throws Exception
|
||||
|
@ -828,21 +831,15 @@ class DBStructure
|
|||
return false;
|
||||
}
|
||||
|
||||
$table = DBA::escape($table);
|
||||
|
||||
$sql = "SHOW TABLES LIKE '" . $table . "';";
|
||||
|
||||
$stmt = DBA::p($sql);
|
||||
|
||||
if (is_bool($stmt)) {
|
||||
$retval = $stmt;
|
||||
if (is_array($table)) {
|
||||
$condition = ['table_schema' => key($table), 'table_name' => current($table)];
|
||||
} else {
|
||||
$retval = (DBA::numRows($stmt) > 0);
|
||||
$condition = ['table_schema' => DBA::databaseName(), 'table_name' => $table];
|
||||
}
|
||||
|
||||
DBA::close($stmt);
|
||||
$result = DBA::exists(['information_schema' => 'tables'], $condition);
|
||||
|
||||
return $retval;
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -725,8 +725,8 @@ class Database
|
|||
/**
|
||||
* @brief Check if data exists
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $condition array of fields for condition
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $condition array of fields for condition
|
||||
*
|
||||
* @return boolean Are there rows for that condition?
|
||||
* @throws \Exception
|
||||
|
@ -906,49 +906,32 @@ class Database
|
|||
/**
|
||||
* @brief Insert a row into a table
|
||||
*
|
||||
* @param string/array $table Table name
|
||||
*
|
||||
* @return string formatted and sanitzed table name
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function formatTableName($table)
|
||||
{
|
||||
if (is_string($table)) {
|
||||
return "`" . $this->sanitizeIdentifier($table) . "`";
|
||||
}
|
||||
|
||||
if (!is_array($table)) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$scheme = key($table);
|
||||
|
||||
return "`" . $this->sanitizeIdentifier($scheme) . "`.`" . $this->sanitizeIdentifier($table[$scheme]) . "`";
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Insert a row into a table
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $param parameter array
|
||||
* @param bool $on_duplicate_update Do an update on a duplicate entry
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $param parameter array
|
||||
* @param bool $on_duplicate_update Do an update on a duplicate entry
|
||||
*
|
||||
* @return boolean was the insert successful?
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function insert($table, $param, $on_duplicate_update = false)
|
||||
{
|
||||
|
||||
if (empty($table) || empty($param)) {
|
||||
$this->logger->info('Table and fields have to be set');
|
||||
return false;
|
||||
}
|
||||
|
||||
$sql = "INSERT INTO " . $this->formatTableName($table) . " (`" . implode("`, `", array_keys($param)) . "`) VALUES (" .
|
||||
substr(str_repeat("?, ", count($param)), 0, -2) . ")";
|
||||
$table_string = DBA::buildTableString($table);
|
||||
|
||||
$fields_string = implode(', ', array_map([DBA::class, 'quoteIdentifier'], array_keys($param)));
|
||||
|
||||
$values_string = substr(str_repeat("?, ", count($param)), 0, -2);
|
||||
|
||||
$sql = "INSERT INTO " . $table_string . " (" . $fields_string . ") VALUES (" . $values_string . ")";
|
||||
|
||||
if ($on_duplicate_update) {
|
||||
$sql .= " ON DUPLICATE KEY UPDATE `" . implode("` = ?, `", array_keys($param)) . "` = ?";
|
||||
$fields_string = implode(' = ?, ', array_map([DBA::class, 'quoteIdentifier'], array_keys($param)));
|
||||
|
||||
$sql .= " ON DUPLICATE KEY UPDATE " . $fields_string . " = ?";
|
||||
|
||||
$values = array_values($param);
|
||||
$param = array_merge_recursive($values, $values);
|
||||
|
@ -980,7 +963,7 @@ class Database
|
|||
*
|
||||
* This function can be extended in the future to accept a table array as well.
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
*
|
||||
* @return boolean was the lock successful?
|
||||
* @throws \Exception
|
||||
|
@ -995,7 +978,7 @@ class Database
|
|||
$this->connection->autocommit(false);
|
||||
}
|
||||
|
||||
$success = $this->e("LOCK TABLES " . $this->formatTableName($table) . " WRITE");
|
||||
$success = $this->e("LOCK TABLES " . DBA::buildTableString($table) . " WRITE");
|
||||
|
||||
if ($this->driver == 'pdo') {
|
||||
$this->connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
|
||||
|
@ -1152,6 +1135,8 @@ class Database
|
|||
/**
|
||||
* @brief Delete a row from a table
|
||||
*
|
||||
* Note: this methods does NOT accept schema => table arrays because of the complex relation stuff.
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $conditions Field condition(s)
|
||||
* @param array $options
|
||||
|
@ -1176,13 +1161,11 @@ class Database
|
|||
|
||||
// We quit when this key already exists in the callstack.
|
||||
if (isset($callstack[$key])) {
|
||||
return $commands;
|
||||
return true;
|
||||
}
|
||||
|
||||
$callstack[$key] = true;
|
||||
|
||||
$table = $this->sanitizeIdentifier($table);
|
||||
|
||||
$commands[$key] = ['table' => $table, 'conditions' => $conditions];
|
||||
|
||||
// Don't use "defaults" here, since it would set "false" to "true"
|
||||
|
@ -1250,7 +1233,7 @@ class Database
|
|||
$condition_string = DBA::buildCondition($conditions);
|
||||
|
||||
if ((count($command['conditions']) > 1) || is_int($first_key)) {
|
||||
$sql = "DELETE FROM `" . $command['table'] . "`" . $condition_string;
|
||||
$sql = "DELETE FROM " . DBA::quoteIdentifier($command['table']) . " " . $condition_string;
|
||||
$this->logger->debug($this->replaceParameters($sql, $conditions));
|
||||
|
||||
if (!$this->e($sql, $conditions)) {
|
||||
|
@ -1278,7 +1261,7 @@ class Database
|
|||
foreach ($compacted AS $table => $values) {
|
||||
foreach ($values AS $field => $field_value_list) {
|
||||
foreach ($field_value_list AS $field_values) {
|
||||
$sql = "DELETE FROM `" . $table . "` WHERE `" . $field . "` IN (" .
|
||||
$sql = "DELETE FROM " . DBA::quoteIdentifier($table) . " WHERE " . DBA::quoteIdentifier($field) . " IN (" .
|
||||
substr(str_repeat("?, ", count($field_values)), 0, -2) . ");";
|
||||
|
||||
$this->logger->debug($this->replaceParameters($sql, $field_values));
|
||||
|
@ -1319,7 +1302,7 @@ class Database
|
|||
* Only set $old_fields to a boolean value when you are sure that you will update a single row.
|
||||
* When you set $old_fields to "true" then $fields must contain all relevant fields!
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields contains the fields that are updated
|
||||
* @param array $condition condition array with the key values
|
||||
* @param array|boolean $old_fields array with the old field values that are about to be replaced (true = update on duplicate)
|
||||
|
@ -1329,12 +1312,13 @@ class Database
|
|||
*/
|
||||
public function update($table, $fields, $condition, $old_fields = [])
|
||||
{
|
||||
|
||||
if (empty($table) || empty($fields) || empty($condition)) {
|
||||
$this->logger->info('Table, fields and condition have to be set');
|
||||
return false;
|
||||
}
|
||||
|
||||
$table_string = DBA::buildTableString($table);
|
||||
|
||||
$condition_string = DBA::buildCondition($condition);
|
||||
|
||||
if (is_bool($old_fields)) {
|
||||
|
@ -1367,8 +1351,9 @@ class Database
|
|||
return true;
|
||||
}
|
||||
|
||||
$sql = "UPDATE " . $this->formatTableName($table) . " SET `" .
|
||||
implode("` = ?, `", array_keys($fields)) . "` = ?" . $condition_string;
|
||||
$sql = "UPDATE " . $table_string . " SET "
|
||||
. implode(" = ?, ", array_map([DBA::class, 'quoteIdentifier'], array_keys($fields))) . " = ?"
|
||||
. $condition_string;
|
||||
|
||||
$params1 = array_values($fields);
|
||||
$params2 = array_values($condition);
|
||||
|
@ -1408,10 +1393,10 @@ class Database
|
|||
/**
|
||||
* @brief Select rows from a table and fills an array with the data
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
*
|
||||
* @return array Data array
|
||||
* @throws \Exception
|
||||
|
@ -1425,10 +1410,10 @@ class Database
|
|||
/**
|
||||
* @brief Select rows from a table
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $fields Array of selected fields, empty for all
|
||||
* @param array $condition Array of fields for condition
|
||||
* @param array $params Array of several parameters
|
||||
*
|
||||
* @return boolean|object
|
||||
*
|
||||
|
@ -1452,16 +1437,18 @@ class Database
|
|||
}
|
||||
|
||||
if (count($fields) > 0) {
|
||||
$select_fields = "`" . implode("`, `", array_values($fields)) . "`";
|
||||
$select_string = implode(', ', array_map([DBA::class, 'quoteIdentifier'], $fields));
|
||||
} else {
|
||||
$select_fields = "*";
|
||||
$select_string = '*';
|
||||
}
|
||||
|
||||
$table_string = DBA::buildTableString($table);
|
||||
|
||||
$condition_string = DBA::buildCondition($condition);
|
||||
|
||||
$param_string = DBA::buildParameter($params);
|
||||
|
||||
$sql = "SELECT " . $select_fields . " FROM " . $this->formatTableName($table) . $condition_string . $param_string;
|
||||
$sql = "SELECT " . $select_string . " FROM " . $table_string . $condition_string . $param_string;
|
||||
|
||||
$result = $this->p($sql, $condition);
|
||||
|
||||
|
@ -1471,8 +1458,8 @@ class Database
|
|||
/**
|
||||
* @brief Counts the rows from a table satisfying the provided condition
|
||||
*
|
||||
* @param string $table Table name
|
||||
* @param array $condition array of fields for condition
|
||||
* @param string|array $table Table name or array [schema => table]
|
||||
* @param array $condition Array of fields for condition
|
||||
*
|
||||
* @return int
|
||||
*
|
||||
|
@ -1492,9 +1479,11 @@ class Database
|
|||
return false;
|
||||
}
|
||||
|
||||
$table_string = DBA::buildTableString($table);
|
||||
|
||||
$condition_string = DBA::buildCondition($condition);
|
||||
|
||||
$sql = "SELECT COUNT(*) AS `count` FROM " . $this->formatTableName($table) . $condition_string;
|
||||
$sql = "SELECT COUNT(*) AS `count` FROM " . $table_string . $condition_string;
|
||||
|
||||
$row = $this->fetchFirst($sql, $condition);
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user