mirror of
https://github.com/friendica/friendica
synced 2024-11-10 05:02:58 +00:00
Identifier have to be escaped different than values
This commit is contained in:
parent
1f6f588872
commit
30143aa5b1
1 changed files with 16 additions and 3 deletions
|
@ -288,6 +288,19 @@ class DBA
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes every not whitelisted character from the identifier string
|
||||
*
|
||||
* @param string $identifier
|
||||
*
|
||||
* @return string sanitized identifier
|
||||
* @throws \Exception
|
||||
*/
|
||||
private static function sanitizeIdentifier($identifier)
|
||||
{
|
||||
return preg_replace('/[^A-Za-z0-9_\-]+/', '', $identifier);
|
||||
}
|
||||
|
||||
public static function escape($str) {
|
||||
if (self::$connected) {
|
||||
switch (self::$driver) {
|
||||
|
@ -883,7 +896,7 @@ class DBA
|
|||
public static function formatTableName($table)
|
||||
{
|
||||
if (is_string($table)) {
|
||||
return "`" . self::escape($table) . "`";
|
||||
return "`" . self::sanitizeIdentifier($table) . "`";
|
||||
}
|
||||
|
||||
if (!is_array($table)) {
|
||||
|
@ -892,7 +905,7 @@ class DBA
|
|||
|
||||
$scheme = key($table);
|
||||
|
||||
return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`";
|
||||
return "`" . self::sanitizeIdentifier($scheme) . "`.`" . self::sanitizeIdentifier($table[$scheme]) . "`";
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1142,7 +1155,7 @@ class DBA
|
|||
|
||||
$callstack[$key] = true;
|
||||
|
||||
$table = self::escape($table);
|
||||
$table = self::sanitizeIdentifier($table);
|
||||
|
||||
$commands[$key] = ['table' => $table, 'conditions' => $conditions];
|
||||
|
||||
|
|
Loading…
Reference in a new issue