Use quoteString in controllers (#18191)

kamil-tekiela · web-flow · commit 142f15f3738f · 2023-03-03T17:40:45.000-03:00
* CreateController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

* FindReplaceController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

* SetVariableController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

* GetVariableController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

* UserGroupsFormController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

* TablesController

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;

---------

Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;
diff --git a/libraries/classes/Controllers/Database/MultiTableQuery/TablesController.php b/libraries/classes/Controllers/Database/MultiTableQuery/TablesController.php
@@ -11,7 +11,8 @@
 use PhpMyAdmin\ResponseRenderer;
 use PhpMyAdmin\Template;
 
-use function rtrim;
+use function array_map;
+use function implode;
 
 final class TablesController extends AbstractController
 {
@@ -27,17 +28,12 @@ public function __invoke(ServerRequest $request): void
         /** @var string $db */
         $db = $request->getQueryParam('db', '');
 
-        $tablesListForQuery = '';
-        foreach ($tables as $table) {
-            $tablesListForQuery .= "'" . $this->dbi->escapeString($table) . "',";
-        }
-
-        $tablesListForQuery = rtrim($tablesListForQuery, ',');
+        $tablesListForQuery = array_map($this->dbi->quoteString(...), $tables);
 
         $constrains = $this->dbi->fetchResult(
             QueryGenerator::getInformationSchemaForeignKeyConstraintsRequest(
-                $this->dbi->escapeString($db),
-                $tablesListForQuery,
+                $this->dbi->quoteString($db),
+                implode(',', $tablesListForQuery),
             ),
         );
         $this->response->addJSON(['foreignKeyConstrains' => $constrains]);
diff --git a/libraries/classes/Controllers/Server/UserGroupsFormController.php b/libraries/classes/Controllers/Server/UserGroupsFormController.php
@@ -74,9 +74,9 @@ private function getHtmlToChooseUserGroup(
             . '.' . Util::backquote($configurableMenusFeature->users);
 
         $sqlQuery = sprintf(
-            'SELECT `usergroup` FROM %s WHERE `username` = \'%s\'',
+            'SELECT `usergroup` FROM %s WHERE `username` = %s',
             $userTable,
-            $this->dbi->escapeString($username),
+            $this->dbi->quoteString($username),
         );
         $userGroup = $this->dbi->fetchValue($sqlQuery, 0, Connection::TYPE_CONTROL);
 
diff --git a/libraries/classes/Controllers/Server/Variables/GetVariableController.php b/libraries/classes/Controllers/Server/Variables/GetVariableController.php
@@ -31,11 +31,9 @@ public function __invoke(ServerRequest $request, array $params): void
 
         // Send with correct charset
         header('Content-Type: text/html; charset=UTF-8');
-        // Do not use double quotes inside the query to avoid a problem
-        // when server is running in ANSI_QUOTES sql_mode
         $varValue = $this->dbi->fetchSingleRow(
-            'SHOW GLOBAL VARIABLES WHERE Variable_name=\''
-            . $this->dbi->escapeString($params['name']) . '\';',
+            'SHOW GLOBAL VARIABLES WHERE Variable_name='
+            . $this->dbi->quoteString($params['name']) . ';',
             DatabaseInterface::FETCH_NUM,
         );
 
diff --git a/libraries/classes/Controllers/Server/Variables/SetVariableController.php b/libraries/classes/Controllers/Server/Variables/SetVariableController.php
@@ -60,21 +60,17 @@ public function __invoke(ServerRequest $request, array $vars): void
             ];
             $value = (float) $matches[1] * 1024 ** $exp[mb_strtolower($matches[3])];
         } else {
-            $value = $this->dbi->escapeString($value);
-        }
-
-        if (! is_numeric($value)) {
-            $value = "'" . $value . "'";
+            $value = $this->dbi->quoteString($value);
         }
 
         $json = [];
         if (! preg_match('/[^a-zA-Z0-9_]+/', $variableName)) {
             $this->dbi->query('SET GLOBAL ' . $variableName . ' = ' . $value);
             // Some values are rounded down etc.
             $varValue = $this->dbi->fetchSingleRow(
-                'SHOW GLOBAL VARIABLES WHERE Variable_name="'
-                . $this->dbi->escapeString($variableName)
-                . '";',
+                'SHOW GLOBAL VARIABLES WHERE Variable_name='
+                . $this->dbi->quoteString($variableName)
+                . ';',
                 DatabaseInterface::FETCH_NUM,
             );
             [$formattedValue, $isHtmlFormatted] = $this->formatVariable($variableName, $varValue[1]);
diff --git a/libraries/classes/Controllers/Table/FindReplaceController.php b/libraries/classes/Controllers/Table/FindReplaceController.php
@@ -250,7 +250,7 @@ private function getRegexReplaceRows(
             . ' FROM ' . Util::backquote($GLOBALS['db'])
             . '.' . Util::backquote($GLOBALS['table'])
             . ' WHERE ' . Util::backquote($column)
-            . " RLIKE '" . $this->dbi->escapeString($find) . "' COLLATE "
+            . ' RLIKE ' . $this->dbi->quoteString($find) . ' COLLATE '
             . $charSet . '_bin'; // here we
         // change the collation of the 2nd operand to a case sensitive
         // binary collation to make sure that the comparison is case sensitive
@@ -313,8 +313,8 @@ public function replace(
                     $sql_query .= ' = CASE';
                     foreach ($toReplace as $row) {
                         $sql_query .= "\n WHEN " . Util::backquote($column)
-                            . " = '" . $this->dbi->escapeString($row[0])
-                            . "' THEN '" . $this->dbi->escapeString($row[1]) . "'";
+                            . ' = ' . $this->dbi->quoteString($row[0])
+                            . ' THEN ' . $this->dbi->quoteString($row[1]);
                     }
 
                     $sql_query .= ' END';
@@ -324,7 +324,7 @@ public function replace(
             }
 
             $sql_query .= ' WHERE ' . Util::backquote($column)
-                . " RLIKE '" . $this->dbi->escapeString($find) . "' COLLATE "
+                . ' RLIKE ' . $this->dbi->quoteString($find) . ' COLLATE '
                 . $charSet . '_bin'; // here we
             // change the collation of the 2nd operand to a case sensitive
             // binary collation to make sure that the comparison
diff --git a/libraries/classes/Controllers/View/CreateController.php b/libraries/classes/Controllers/View/CreateController.php
@@ -134,13 +134,12 @@ public function __invoke(ServerRequest $request): void
         if (isset($_GET['db'], $_GET['table'])) {
             $item = $this->dbi->fetchSingleRow(
                 sprintf(
-                    "SELECT `VIEW_DEFINITION`, `CHECK_OPTION`, `DEFINER`,
-            `SECURITY_TYPE`
-            FROM `INFORMATION_SCHEMA`.`VIEWS`
-            WHERE TABLE_SCHEMA='%s'
-            AND TABLE_NAME='%s';",
-                    $this->dbi->escapeString($_GET['db']),
-                    $this->dbi->escapeString($_GET['table']),
+                    'SELECT `VIEW_DEFINITION`, `CHECK_OPTION`, `DEFINER`, `SECURITY_TYPE`
+                        FROM `INFORMATION_SCHEMA`.`VIEWS`
+                        WHERE TABLE_SCHEMA=%s
+                        AND TABLE_NAME=%s;',
+                    $this->dbi->quoteString($_GET['db']),
+                    $this->dbi->quoteString($_GET['table']),
                 ),
             );
             $createView = $this->dbi->getTable($_GET['db'], $_GET['table'])
diff --git a/libraries/classes/Query/Generator.php b/libraries/classes/Query/Generator.php
@@ -258,7 +258,7 @@ public static function getInformationSchemaForeignKeyConstraintsRequest(
             . ' REFERENCED_COLUMN_NAME'
             . ' FROM information_schema.key_column_usage'
             . ' WHERE referenced_table_name IS NOT NULL'
-            . " AND TABLE_SCHEMA = '" . $escapedDatabase . "'"
+            . ' AND TABLE_SCHEMA = ' . $escapedDatabase
             . ' AND TABLE_NAME IN (' . $tablesListForQueryCsv . ')'
             . ' AND REFERENCED_TABLE_NAME IN (' . $tablesListForQueryCsv . ');';
     }
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
@@ -1231,10 +1231,6 @@
     </MixedArgument>
   </file>
   <file src="libraries/classes/Controllers/Database/MultiTableQuery/TablesController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <PossiblyUnusedMethod>
       <code>__construct</code>
     </PossiblyUnusedMethod>
@@ -3139,9 +3135,6 @@
     </PossiblyUnusedMethod>
   </file>
   <file src="libraries/classes/Controllers/Server/UserGroupsFormController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <PossiblyInvalidArgument>
       <code>$username</code>
     </PossiblyInvalidArgument>
@@ -3160,9 +3153,6 @@
     </UnusedParam>
   </file>
   <file src="libraries/classes/Controllers/Server/Variables/GetVariableController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <MixedArgument>
       <code><![CDATA[$params['name']]]></code>
       <code><![CDATA[$params['name']]]></code>
@@ -3179,10 +3169,6 @@
     </UnusedParam>
   </file>
   <file src="libraries/classes/Controllers/Server/Variables/SetVariableController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <MixedArgument>
       <code>$formattedValue</code>
       <code>$varValue[1]</code>
@@ -3644,12 +3630,6 @@
     </MixedAssignment>
   </file>
   <file src="libraries/classes/Controllers/Table/FindReplaceController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <InvalidArgument>
       <code><![CDATA[$_POST['columnIndex']]]></code>
       <code><![CDATA[$_POST['columnIndex']]]></code>
@@ -4721,10 +4701,6 @@
     </PossiblyUnusedParam>
   </file>
   <file src="libraries/classes/Controllers/View/CreateController.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <DocblockTypeContradiction>
       <code><![CDATA[$viewData['as']]]></code>
     </DocblockTypeContradiction>
diff --git a/test/classes/Controllers/Table/FindReplaceControllerTest.php b/test/classes/Controllers/Table/FindReplaceControllerTest.php
@@ -64,8 +64,8 @@ protected function setUp(): void
 
         $dbi->expects($this->any())->method('fetchValue')
             ->will($this->returnValue($show_create_table));
-        $dbi->expects($this->any())->method('escapeString')
-            ->will($this->returnArgument(0));
+        $dbi->expects($this->any())->method('quoteString')
+            ->will($this->returnCallback(static fn (string $string): string => "'" . $string . "'"));
 
         $GLOBALS['dbi'] = $dbi;
     }

Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ public static function getInformationSchemaForeignKeyConstraintsRequest(`
`258`	`258`	`. ' REFERENCED_COLUMN_NAME'`
`259`	`259`	`. ' FROM information_schema.key_column_usage'`
`260`	`260`	`. ' WHERE referenced_table_name IS NOT NULL'`
`261`		`- . " AND TABLE_SCHEMA = '" . $escapedDatabase . "'"`
	`261`	`+ . ' AND TABLE_SCHEMA = ' . $escapedDatabase`
`262`	`262`	`. ' AND TABLE_NAME IN (' . $tablesListForQueryCsv . ')'`
`263`	`263`	`. ' AND REFERENCED_TABLE_NAME IN (' . $tablesListForQueryCsv . ');';`
`264`	`264`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,8 @@ protected function setUp(): void`
`64`	`64`
`65`	`65`	`$dbi->expects($this->any())->method('fetchValue')`
`66`	`66`	`->will($this->returnValue($show_create_table));`
`67`		`- $dbi->expects($this->any())->method('escapeString')`
`68`		`- ->will($this->returnArgument(0));`
	`67`	`+ $dbi->expects($this->any())->method('quoteString')`
	`68`	`+ ->will($this->returnCallback(static fn (string $string): string => "'" . $string . "'"));`
`69`	`69`
`70`	`70`	`$GLOBALS['dbi'] = $dbi;`
`71`	`71`	`}`