Merge pull request #7174 from MrPetovan/task/dba-quote-identifiers

DBA: Correctly escape identifier names
This commit is contained in:
Philipp 2019-07-29 14:37:09 +02:00 committed by GitHub
commit 70ba9e5e0c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 129 additions and 106 deletions

View File

@ -180,8 +180,8 @@ class DBA extends BaseObject
/**
* @brief Check if data exists
*
* @param string $table Table name
* @param array $condition array of fields for condition
* @param string|array $table Table name or array [schema => table]
* @param array $condition array of fields for condition
*
* @return boolean Are there rows for that condition?
* @throws \Exception
@ -253,9 +253,9 @@ class DBA extends BaseObject
/**
* @brief Insert a row into a table
*
* @param string $table Table name
* @param array $param parameter array
* @param bool $on_duplicate_update Do an update on a duplicate entry
* @param string|array $table Table name or array [schema => table]
* @param array $param parameter array
* @param bool $on_duplicate_update Do an update on a duplicate entry
*
* @return boolean was the insert successful?
* @throws \Exception
@ -280,7 +280,7 @@ class DBA extends BaseObject
*
* This function can be extended in the future to accept a table array as well.
*
* @param string $table Table name
* @param string|array $table Table name or array [schema => table]
*
* @return boolean was the lock successful?
* @throws \Exception
@ -369,7 +369,7 @@ class DBA extends BaseObject
* Only set $old_fields to a boolean value when you are sure that you will update a single row.
* When you set $old_fields to "true" then $fields must contain all relevant fields!
*
* @param string $table Table name
* @param string|array $table Table name or array [schema => table]
* @param array $fields contains the fields that are updated
* @param array $condition condition array with the key values
* @param array|boolean $old_fields array with the old field values that are about to be replaced (true = update on duplicate)
@ -386,10 +386,10 @@ class DBA extends BaseObject
* Retrieve a single record from a table and returns it in an associative array
*
* @brief Retrieve a single record from a table
* @param string $table
* @param array $fields
* @param array $condition
* @param array $params
* @param string|array $table Table name or array [schema => table]
* @param array $fields
* @param array $condition
* @param array $params
* @return bool|array
* @throws \Exception
* @see self::select
@ -402,10 +402,10 @@ class DBA extends BaseObject
/**
* @brief Select rows from a table and fills an array with the data
*
* @param string $table Table name
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
* @param string|array $table Table name or array [schema => table]
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
*
* @return array Data array
* @throws \Exception
@ -419,10 +419,10 @@ class DBA extends BaseObject
/**
* @brief Select rows from a table
*
* @param string $table Table name
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
* @param string|array $table Table name or array [schema => table]
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
*
* @return boolean|object
*
@ -447,8 +447,8 @@ class DBA extends BaseObject
/**
* @brief Counts the rows from a table satisfying the provided condition
*
* @param string $table Table name
* @param array $condition array of fields for condition
* @param string|array $table Table name or array [schema => table]
* @param array $condition array of fields for condition
*
* @return int
*
@ -467,6 +467,47 @@ class DBA extends BaseObject
return self::getClass(Database::class)->count($table, $condition);
}
/**
* Build the table query substring from one or more tables, with or without a schema.
*
* Expected formats:
* - table
* - [table1, table2, ...]
* - [schema1 => table1, schema2 => table2, table3, ...]
*
* @param string|array $tables
* @return string
*/
public static function buildTableString($tables)
{
if (is_string($tables)) {
$tables = [$tables];
}
$quotedTables = [];
foreach ($tables as $schema => $table) {
if (is_numeric($schema)) {
$quotedTables[] = self::quoteIdentifier($table);
} else {
$quotedTables[] = self::quoteIdentifier($schema) . '.' . self::quoteIdentifier($table);
}
}
return implode(', ', $quotedTables);
}
/**
* Escape an identifier (table or field name)
*
* @param $identifier
* @return string
*/
public static function quoteIdentifier($identifier)
{
return '`' . str_replace('`', '``', $identifier) . '`';
}
/**
* @brief Returns the SQL condition string built from the provided condition array
*
@ -527,12 +568,12 @@ class DBA extends BaseObject
$new_values = array_merge($new_values, array_values($value));
$placeholders = substr(str_repeat("?, ", count($value)), 0, -2);
$condition_string .= "`" . $field . "` IN (" . $placeholders . ")";
$condition_string .= self::quoteIdentifier($field) . " IN (" . $placeholders . ")";
} elseif (is_null($value)) {
$condition_string .= "`" . $field . "` IS NULL";
$condition_string .= self::quoteIdentifier($field) . " IS NULL";
} else {
$new_values[$field] = $value;
$condition_string .= "`" . $field . "` = ?";
$condition_string .= self::quoteIdentifier($field) . " = ?";
}
}
$condition_string = " WHERE (" . $condition_string . ")";
@ -552,12 +593,8 @@ class DBA extends BaseObject
public static function buildParameter(array $params = [])
{
$groupby_string = '';
if (isset($params['group_by'])) {
$groupby_string = " GROUP BY ";
foreach ($params['group_by'] as $fields) {
$groupby_string .= "`" . $fields . "`, ";
}
$groupby_string = substr($groupby_string, 0, -2);
if (!empty($params['group_by'])) {
$groupby_string = " GROUP BY " . implode(', ', array_map(['self', 'quoteIdentifier'], $params['group_by']));
}
$order_string = '';
@ -567,9 +604,9 @@ class DBA extends BaseObject
if ($order === 'RAND()') {
$order_string .= "RAND(), ";
} elseif (!is_int($fields)) {
$order_string .= "`" . $fields . "` " . ($order ? "DESC" : "ASC") . ", ";
$order_string .= self::quoteIdentifier($fields) . " " . ($order ? "DESC" : "ASC") . ", ";
} else {
$order_string .= "`" . $order . "`, ";
$order_string .= self::quoteIdentifier($order) . ", ";
}
}
$order_string = substr($order_string, 0, -2);

View File

@ -40,16 +40,19 @@ class DBStructure
*/
public static function convertToInnoDB()
{
$r = q("SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `engine` = 'MyISAM' AND `table_schema` = '%s'",
DBA::escape(DBA::databaseName()));
$tables = DBA::selectToArray(
['information_schema' => 'tables'],
['table_name'],
['engine' => 'MyISAM', 'table_schema' => DBA::databaseName()]
);
if (!DBA::isResult($r)) {
if (!DBA::isResult($tables)) {
echo L10n::t('There are no tables on MyISAM.') . "\n";
return;
}
foreach ($r AS $table) {
$sql = sprintf("ALTER TABLE `%s` engine=InnoDB;", DBA::escape($table['TABLE_NAME']));
foreach ($tables AS $table) {
$sql = "ALTER TABLE " . DBA::quoteIdentifier($table['TABLE_NAME']) . " engine=InnoDB;";
echo $sql . "\n";
$result = DBA::e($sql);
@ -817,7 +820,7 @@ class DBStructure
/**
* Check if a table exists
*
* @param string $table Table name
* @param string|array $table Table name
*
* @return boolean Does the table exist?
* @throws Exception
@ -828,21 +831,15 @@ class DBStructure
return false;
}
$table = DBA::escape($table);
$sql = "SHOW TABLES LIKE '" . $table . "';";
$stmt = DBA::p($sql);
if (is_bool($stmt)) {
$retval = $stmt;
if (is_array($table)) {
$condition = ['table_schema' => key($table), 'table_name' => current($table)];
} else {
$retval = (DBA::numRows($stmt) > 0);
$condition = ['table_schema' => DBA::databaseName(), 'table_name' => $table];
}
DBA::close($stmt);
$result = DBA::exists(['information_schema' => 'tables'], $condition);
return $retval;
return $result;
}
/**

View File

@ -725,8 +725,8 @@ class Database
/**
* @brief Check if data exists
*
* @param string $table Table name
* @param array $condition array of fields for condition
* @param string|array $table Table name or array [schema => table]
* @param array $condition array of fields for condition
*
* @return boolean Are there rows for that condition?
* @throws \Exception
@ -906,49 +906,32 @@ class Database
/**
* @brief Insert a row into a table
*
* @param string/array $table Table name
*
* @return string formatted and sanitzed table name
* @throws \Exception
*/
public function formatTableName($table)
{
if (is_string($table)) {
return "`" . $this->sanitizeIdentifier($table) . "`";
}
if (!is_array($table)) {
return '';
}
$scheme = key($table);
return "`" . $this->sanitizeIdentifier($scheme) . "`.`" . $this->sanitizeIdentifier($table[$scheme]) . "`";
}
/**
* @brief Insert a row into a table
*
* @param string $table Table name
* @param array $param parameter array
* @param bool $on_duplicate_update Do an update on a duplicate entry
* @param string|array $table Table name or array [schema => table]
* @param array $param parameter array
* @param bool $on_duplicate_update Do an update on a duplicate entry
*
* @return boolean was the insert successful?
* @throws \Exception
*/
public function insert($table, $param, $on_duplicate_update = false)
{
if (empty($table) || empty($param)) {
$this->logger->info('Table and fields have to be set');
return false;
}
$sql = "INSERT INTO " . $this->formatTableName($table) . " (`" . implode("`, `", array_keys($param)) . "`) VALUES (" .
substr(str_repeat("?, ", count($param)), 0, -2) . ")";
$table_string = DBA::buildTableString($table);
$fields_string = implode(', ', array_map([DBA::class, 'quoteIdentifier'], array_keys($param)));
$values_string = substr(str_repeat("?, ", count($param)), 0, -2);
$sql = "INSERT INTO " . $table_string . " (" . $fields_string . ") VALUES (" . $values_string . ")";
if ($on_duplicate_update) {
$sql .= " ON DUPLICATE KEY UPDATE `" . implode("` = ?, `", array_keys($param)) . "` = ?";
$fields_string = implode(' = ?, ', array_map([DBA::class, 'quoteIdentifier'], array_keys($param)));
$sql .= " ON DUPLICATE KEY UPDATE " . $fields_string . " = ?";
$values = array_values($param);
$param = array_merge_recursive($values, $values);
@ -980,7 +963,7 @@ class Database
*
* This function can be extended in the future to accept a table array as well.
*
* @param string $table Table name
* @param string|array $table Table name or array [schema => table]
*
* @return boolean was the lock successful?
* @throws \Exception
@ -995,7 +978,7 @@ class Database
$this->connection->autocommit(false);
}
$success = $this->e("LOCK TABLES " . $this->formatTableName($table) . " WRITE");
$success = $this->e("LOCK TABLES " . DBA::buildTableString($table) . " WRITE");
if ($this->driver == 'pdo') {
$this->connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
@ -1152,6 +1135,8 @@ class Database
/**
* @brief Delete a row from a table
*
* Note: this methods does NOT accept schema => table arrays because of the complex relation stuff.
*
* @param string $table Table name
* @param array $conditions Field condition(s)
* @param array $options
@ -1176,13 +1161,11 @@ class Database
// We quit when this key already exists in the callstack.
if (isset($callstack[$key])) {
return $commands;
return true;
}
$callstack[$key] = true;
$table = $this->sanitizeIdentifier($table);
$commands[$key] = ['table' => $table, 'conditions' => $conditions];
// Don't use "defaults" here, since it would set "false" to "true"
@ -1250,7 +1233,7 @@ class Database
$condition_string = DBA::buildCondition($conditions);
if ((count($command['conditions']) > 1) || is_int($first_key)) {
$sql = "DELETE FROM `" . $command['table'] . "`" . $condition_string;
$sql = "DELETE FROM " . DBA::quoteIdentifier($command['table']) . " " . $condition_string;
$this->logger->debug($this->replaceParameters($sql, $conditions));
if (!$this->e($sql, $conditions)) {
@ -1278,7 +1261,7 @@ class Database
foreach ($compacted AS $table => $values) {
foreach ($values AS $field => $field_value_list) {
foreach ($field_value_list AS $field_values) {
$sql = "DELETE FROM `" . $table . "` WHERE `" . $field . "` IN (" .
$sql = "DELETE FROM " . DBA::quoteIdentifier($table) . " WHERE " . DBA::quoteIdentifier($field) . " IN (" .
substr(str_repeat("?, ", count($field_values)), 0, -2) . ");";
$this->logger->debug($this->replaceParameters($sql, $field_values));
@ -1319,7 +1302,7 @@ class Database
* Only set $old_fields to a boolean value when you are sure that you will update a single row.
* When you set $old_fields to "true" then $fields must contain all relevant fields!
*
* @param string $table Table name
* @param string|array $table Table name or array [schema => table]
* @param array $fields contains the fields that are updated
* @param array $condition condition array with the key values
* @param array|boolean $old_fields array with the old field values that are about to be replaced (true = update on duplicate)
@ -1329,12 +1312,13 @@ class Database
*/
public function update($table, $fields, $condition, $old_fields = [])
{
if (empty($table) || empty($fields) || empty($condition)) {
$this->logger->info('Table, fields and condition have to be set');
return false;
}
$table_string = DBA::buildTableString($table);
$condition_string = DBA::buildCondition($condition);
if (is_bool($old_fields)) {
@ -1367,8 +1351,9 @@ class Database
return true;
}
$sql = "UPDATE " . $this->formatTableName($table) . " SET `" .
implode("` = ?, `", array_keys($fields)) . "` = ?" . $condition_string;
$sql = "UPDATE " . $table_string . " SET "
. implode(" = ?, ", array_map([DBA::class, 'quoteIdentifier'], array_keys($fields))) . " = ?"
. $condition_string;
$params1 = array_values($fields);
$params2 = array_values($condition);
@ -1408,10 +1393,10 @@ class Database
/**
* @brief Select rows from a table and fills an array with the data
*
* @param string $table Table name
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
* @param string|array $table Table name or array [schema => table]
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
*
* @return array Data array
* @throws \Exception
@ -1425,10 +1410,10 @@ class Database
/**
* @brief Select rows from a table
*
* @param string $table Table name
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
* @param string|array $table Table name or array [schema => table]
* @param array $fields Array of selected fields, empty for all
* @param array $condition Array of fields for condition
* @param array $params Array of several parameters
*
* @return boolean|object
*
@ -1452,16 +1437,18 @@ class Database
}
if (count($fields) > 0) {
$select_fields = "`" . implode("`, `", array_values($fields)) . "`";
$select_string = implode(', ', array_map([DBA::class, 'quoteIdentifier'], $fields));
} else {
$select_fields = "*";
$select_string = '*';
}
$table_string = DBA::buildTableString($table);
$condition_string = DBA::buildCondition($condition);
$param_string = DBA::buildParameter($params);
$sql = "SELECT " . $select_fields . " FROM " . $this->formatTableName($table) . $condition_string . $param_string;
$sql = "SELECT " . $select_string . " FROM " . $table_string . $condition_string . $param_string;
$result = $this->p($sql, $condition);
@ -1471,8 +1458,8 @@ class Database
/**
* @brief Counts the rows from a table satisfying the provided condition
*
* @param string $table Table name
* @param array $condition array of fields for condition
* @param string|array $table Table name or array [schema => table]
* @param array $condition Array of fields for condition
*
* @return int
*
@ -1492,9 +1479,11 @@ class Database
return false;
}
$table_string = DBA::buildTableString($table);
$condition_string = DBA::buildCondition($condition);
$sql = "SELECT COUNT(*) AS `count` FROM " . $this->formatTableName($table) . $condition_string;
$sql = "SELECT COUNT(*) AS `count` FROM " . $table_string . $condition_string;
$row = $this->fetchFirst($sql, $condition);