Identifier have to be escaped different than values

diff --git a/src/Database/DBA.php b/src/Database/DBA.php
index 6cf9cce4344fd267f9fa98ebb20671e4a18cc7dd..9f34a86c15fa9e6d10977bd71fd8f33500f9f261 100644 (file)
--- a/src/Database/DBA.php
+++ b/src/Database/DBA.php
@@ -288,6 +288,19 @@ class DBA
                }
        }
 
+       /**
+        * Removes every not whitelisted character from the identifier string
+        *
+        * @param string $identifier
+        *
+        * @return string sanitized identifier
+        * @throws \Exception
+        */
+       private static function sanitizeIdentifier($identifier)
+       {
+               return preg_replace('/[^A-Za-z0-9_\-]+/', '', $identifier);
+       }
+
        public static function escape($str) {
                if (self::$connected) {
                        switch (self::$driver) {
@@ -883,7 +896,7 @@ class DBA
        public static function formatTableName($table)
        {
                if (is_string($table)) {
-                       return "`" . self::escape($table) . "`";
+                       return "`" . self::sanitizeIdentifier($table) . "`";
                }
 
                if (!is_array($table)) {
@@ -892,7 +905,7 @@ class DBA
 
                $scheme = key($table);
 
-               return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`";
+               return "`" . self::sanitizeIdentifier($scheme) . "`.`" . self::sanitizeIdentifier($table[$scheme]) . "`";
        }
 
        /**
@@ -1142,7 +1155,7 @@ class DBA
 
                $callstack[$key] = true;
 
-               $table = self::escape($table);
+               $table = self::sanitizeIdentifier($table);
 
                $commands[$key] = ['table' => $table, 'conditions' => $conditions];