Fix table name sanitation / enable table schemes

diff --git a/src/Database/DBA.php b/src/Database/DBA.php
index 2327e4a7f675f9f51c59af3901261fa2139f48d7..6cf9cce4344fd267f9fa98ebb20671e4a18cc7dd 100644 (file)
--- a/src/Database/DBA.php
+++ b/src/Database/DBA.php
@@ -872,6 +872,29 @@ class DBA
                return $columns;
        }
 
+       /**
+        * @brief Insert a row into a table
+        *
+        * @param string/array $table Table name
+        *
+        * @return string formatted and sanitzed table name
+        * @throws \Exception
+        */
+       public static function formatTableName($table)
+       {
+               if (is_string($table)) {
+                       return "`" . self::escape($table) . "`";
+               }
+
+               if (!is_array($table)) {
+                       return '';
+               }
+
+               $scheme = key($table);
+
+               return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`";
+       }
+
        /**
         * @brief Insert a row into a table
         *
@@ -889,7 +912,7 @@ class DBA
                        return false;
                }
 
-               $sql = "INSERT INTO `".self::escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
+               $sql = "INSERT INTO " . self::formatTableName($table) . " (`".implode("`, `", array_keys($param))."`) VALUES (".
                        substr(str_repeat("?, ", count($param)), 0, -2).")";
 
                if ($on_duplicate_update) {
@@ -938,7 +961,7 @@ class DBA
                        self::$connection->autocommit(false);
                }
 
-               $success = self::e("LOCK TABLES `".self::escape($table)."` WRITE");
+               $success = self::e("LOCK TABLES " . self::formatTableName($table) ." WRITE");
 
                if (self::$driver == 'pdo') {
                        self::$connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
@@ -1272,8 +1295,6 @@ class DBA
                        return false;
                }
 
-               $table = self::escape($table);
-
                $condition_string = self::buildCondition($condition);
 
                if (is_bool($old_fields)) {
@@ -1306,7 +1327,7 @@ class DBA
                        return true;
                }
 
-               $sql = "UPDATE `".$table."` SET `".
+               $sql = "UPDATE ". self::formatTableName($table) . " SET `".
                        implode("` = ?, `", array_keys($fields))."` = ?".$condition_string;
 
                $params1 = array_values($fields);
@@ -1367,12 +1388,10 @@ class DBA
         */
        public static function select($table, array $fields = [], array $condition = [], array $params = [])
        {
-               if ($table == '') {
+               if (empty($table)) {
                        return false;
                }
 
-               $table = self::escape($table);
-
                if (count($fields) > 0) {
                        $select_fields = "`" . implode("`, `", array_values($fields)) . "`";
                } else {
@@ -1383,7 +1402,7 @@ class DBA
 
                $param_string = self::buildParameter($params);
 
-               $sql = "SELECT " . $select_fields . " FROM `" . $table . "`" . $condition_string . $param_string;
+               $sql = "SELECT " . $select_fields . " FROM " . self::formatTableName($table) . $condition_string . $param_string;
 
                $result = self::p($sql, $condition);
 
@@ -1410,13 +1429,13 @@ class DBA
         */
        public static function count($table, array $condition = [])
        {
-               if ($table == '') {
+               if (empty($table)) {
                        return false;
                }
 
                $condition_string = self::buildCondition($condition);
 
-               $sql = "SELECT COUNT(*) AS `count` FROM `".$table."`".$condition_string;
+               $sql = "SELECT COUNT(*) AS `count` FROM " . self::formatTableName($table) . $condition_string;
 
                $row = self::fetchFirst($sql, $condition);