Identifier have to be escaped different than values

This commit is contained in:
Michael 2019-05-21 05:34:41 +00:00
parent 1f6f588872
commit 30143aa5b1

View file

@ -288,6 +288,19 @@ class DBA
} }
} }
/**
* Removes every not whitelisted character from the identifier string
*
* @param string $identifier
*
* @return string sanitized identifier
* @throws \Exception
*/
private static function sanitizeIdentifier($identifier)
{
return preg_replace('/[^A-Za-z0-9_\-]+/', '', $identifier);
}
public static function escape($str) { public static function escape($str) {
if (self::$connected) { if (self::$connected) {
switch (self::$driver) { switch (self::$driver) {
@ -883,7 +896,7 @@ class DBA
public static function formatTableName($table) public static function formatTableName($table)
{ {
if (is_string($table)) { if (is_string($table)) {
return "`" . self::escape($table) . "`"; return "`" . self::sanitizeIdentifier($table) . "`";
} }
if (!is_array($table)) { if (!is_array($table)) {
@ -892,7 +905,7 @@ class DBA
$scheme = key($table); $scheme = key($table);
return "`" . self::escape($scheme) . "`.`" . self::escape($table[$scheme]) . "`"; return "`" . self::sanitizeIdentifier($scheme) . "`.`" . self::sanitizeIdentifier($table[$scheme]) . "`";
} }
/** /**
@ -1142,7 +1155,7 @@ class DBA
$callstack[$key] = true; $callstack[$key] = true;
$table = self::escape($table); $table = self::sanitizeIdentifier($table);
$commands[$key] = ['table' => $table, 'conditions' => $conditions]; $commands[$key] = ['table' => $table, 'conditions' => $conditions];