From: Michael <heluecht@pirati.ca>
Date: Mon, 20 May 2019 20:38:18 +0000 (+0000)
Subject: Fix table name sanitation / enable table schemes
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=1f6f588872463e553e46b44df03ff51fb24f6bd0;p=friendica.git

Fix table name sanitation / enable table schemes
---

diff --git a/src/Database/DBA.php b/src/Database/DBA.php
index 2327e4a7f6..6cf9cce434 100644
--- a/src/Database/DBA.php
+++ b/src/Database/DBA.php
@@ -872,6 +872,29 @@ class DBA
 		return $columns;
 	}
 
+	/**
+	 * @brief Insert a row into a table
+	 *
+	 * @param string/array $table Table name
+	 *
+	 * @return string formatted and sanitzed table name
+	 * @throws \Exception
+	 */
+	public static function formatTableName($table)
+	{
+		if (is_string($table)) {
+			return "`" . self::escape($table) . "`";
+		}
+
+		if (!is_array($table)) {
+			return '';
+		}
+
+		$scheme = key($table);
+
+		return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`";
+	}
+
 	/**
 	 * @brief Insert a row into a table
 	 *
@@ -889,7 +912,7 @@ class DBA
 			return false;
 		}
 
-		$sql = "INSERT INTO `".self::escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
+		$sql = "INSERT INTO " . self::formatTableName($table) . " (`".implode("`, `", array_keys($param))."`) VALUES (".
 			substr(str_repeat("?, ", count($param)), 0, -2).")";
 
 		if ($on_duplicate_update) {
@@ -938,7 +961,7 @@ class DBA
 			self::$connection->autocommit(false);
 		}
 
-		$success = self::e("LOCK TABLES `".self::escape($table)."` WRITE");
+		$success = self::e("LOCK TABLES " . self::formatTableName($table) ." WRITE");
 
 		if (self::$driver == 'pdo') {
 			self::$connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
@@ -1272,8 +1295,6 @@ class DBA
 			return false;
 		}
 
-		$table = self::escape($table);
-
 		$condition_string = self::buildCondition($condition);
 
 		if (is_bool($old_fields)) {
@@ -1306,7 +1327,7 @@ class DBA
 			return true;
 		}
 
-		$sql = "UPDATE `".$table."` SET `".
+		$sql = "UPDATE ". self::formatTableName($table) . " SET `".
 			implode("` = ?, `", array_keys($fields))."` = ?".$condition_string;
 
 		$params1 = array_values($fields);
@@ -1367,12 +1388,10 @@ class DBA
 	 */
 	public static function select($table, array $fields = [], array $condition = [], array $params = [])
 	{
-		if ($table == '') {
+		if (empty($table)) {
 			return false;
 		}
 
-		$table = self::escape($table);
-
 		if (count($fields) > 0) {
 			$select_fields = "`" . implode("`, `", array_values($fields)) . "`";
 		} else {
@@ -1383,7 +1402,7 @@ class DBA
 
 		$param_string = self::buildParameter($params);
 
-		$sql = "SELECT " . $select_fields . " FROM `" . $table . "`" . $condition_string . $param_string;
+		$sql = "SELECT " . $select_fields . " FROM " . self::formatTableName($table) . $condition_string . $param_string;
 
 		$result = self::p($sql, $condition);
 
@@ -1410,13 +1429,13 @@ class DBA
 	 */
 	public static function count($table, array $condition = [])
 	{
-		if ($table == '') {
+		if (empty($table)) {
 			return false;
 		}
 
 		$condition_string = self::buildCondition($condition);
 
-		$sql = "SELECT COUNT(*) AS `count` FROM `".$table."`".$condition_string;
+		$sql = "SELECT COUNT(*) AS `count` FROM " . self::formatTableName($table) . $condition_string;
 
 		$row = self::fetchFirst($sql, $condition);