From 30143aa5b10e4b881bce2217899527863baa9273 Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 21 May 2019 05:34:41 +0000 Subject: [PATCH] Identifier have to be escaped different than values --- src/Database/DBA.php | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/Database/DBA.php b/src/Database/DBA.php index 6cf9cce434..9f34a86c15 100644 --- a/src/Database/DBA.php +++ b/src/Database/DBA.php @@ -288,6 +288,19 @@ class DBA } } + /** + * Removes every not whitelisted character from the identifier string + * + * @param string $identifier + * + * @return string sanitized identifier + * @throws \Exception + */ + private static function sanitizeIdentifier($identifier) + { + return preg_replace('/[^A-Za-z0-9_\-]+/', '', $identifier); + } + public static function escape($str) { if (self::$connected) { switch (self::$driver) { @@ -883,7 +896,7 @@ class DBA public static function formatTableName($table) { if (is_string($table)) { - return "`" . self::escape($table) . "`"; + return "`" . self::sanitizeIdentifier($table) . "`"; } if (!is_array($table)) { @@ -892,7 +905,7 @@ class DBA $scheme = key($table); - return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`"; + return "`" . self::sanitizeIdentifier($scheme) . "`.`" . self::sanitizeIdentifier($table[$scheme]) . "`"; } /** @@ -1142,7 +1155,7 @@ class DBA $callstack[$key] = true; - $table = self::escape($table); + $table = self::sanitizeIdentifier($table); $commands[$key] = ['table' => $table, 'conditions' => $conditions]; -- 2.39.5