Replace escapeString with quoteString

kamil-tekiela · MauricioFauth · commit 3a56e51f9293 · 2023-02-10T16:23:34.000-03:00
Signed-off-by: Kamil Tekiela &lt;tekiela246@gmail.com&gt;
diff --git a/libraries/classes/UserPreferences.php b/libraries/classes/UserPreferences.php
@@ -100,9 +100,8 @@ public function load(): array
             . Util::backquote($relationParameters->userPreferencesFeature->userConfig);
         $query = 'SELECT `config_data`, UNIX_TIMESTAMP(`timevalue`) ts'
             . ' FROM ' . $query_table
-            . ' WHERE `username` = \''
-            . $this->dbi->escapeString((string) $relationParameters->user)
-            . '\'';
+            . ' WHERE `username` = '
+            . $this->dbi->quoteString((string) $relationParameters->user);
         $row = $this->dbi->fetchSingleRow(
             $query,
             DatabaseInterface::FETCH_ASSOC,
@@ -154,26 +153,23 @@ public function save(array $config_array)
         $query_table = Util::backquote($relationParameters->userPreferencesFeature->database) . '.'
             . Util::backquote($relationParameters->userPreferencesFeature->userConfig);
         $query = 'SELECT `username` FROM ' . $query_table
-            . ' WHERE `username` = \''
-            . $this->dbi->escapeString($relationParameters->user)
-            . '\'';
+            . ' WHERE `username` = '
+            . $this->dbi->quoteString($relationParameters->user);
 
         $has_config = $this->dbi->fetchValue($query, 0, Connection::TYPE_CONTROL);
         $config_data = json_encode($config_array);
         if ($has_config) {
             $query = 'UPDATE ' . $query_table
-                . ' SET `timevalue` = NOW(), `config_data` = \''
-                . $this->dbi->escapeString($config_data)
-                . '\''
-                . ' WHERE `username` = \''
-                . $this->dbi->escapeString($relationParameters->user)
-                . '\'';
+                . ' SET `timevalue` = NOW(), `config_data` = '
+                . $this->dbi->quoteString($config_data)
+                . ' WHERE `username` = '
+                . $this->dbi->quoteString($relationParameters->user);
         } else {
             $query = 'INSERT INTO ' . $query_table
                 . ' (`username`, `timevalue`,`config_data`) '
-                . 'VALUES (\''
-                . $this->dbi->escapeString($relationParameters->user) . '\', NOW(), '
-                . '\'' . $this->dbi->escapeString($config_data) . '\')';
+                . 'VALUES ('
+                . $this->dbi->quoteString($relationParameters->user) . ', NOW(), '
+                . $this->dbi->quoteString($config_data) . ')';
         }
 
         if (isset($_SESSION['cache'][$cache_key]['userprefs'])) {
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -8940,6 +8940,11 @@ parameters:
 			count: 1
 			path: libraries/classes/UserPreferences.php
 
+		-
+			message: "#^Parameter \\#1 \\$str of method PhpMyAdmin\\\\DatabaseInterface\\:\\:quoteString\\(\\) expects string, string\\|false given\\.$#"
+			count: 2
+			path: libraries/classes/UserPreferences.php
+
 		-
 			message: "#^Cannot use array destructuring on array\\|null\\.$#"
 			count: 1
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
@@ -13374,14 +13374,6 @@
     </PossiblyInvalidCast>
   </file>
   <file src="libraries/classes/UserPreferences.php">
-    <DeprecatedMethod occurrences="6">
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <MixedArgumentTypeCoercion occurrences="2">
       <code>$path</code>
       <code>$url_params</code>
diff --git a/test/classes/UserPreferencesTest.php b/test/classes/UserPreferencesTest.php
@@ -114,8 +114,10 @@ public function testLoad(): void
                 )
             );
         $dbi->expects($this->any())
-            ->method('escapeString')
-            ->will($this->returnArgument(0));
+            ->method('quoteString')
+            ->will($this->returnCallback(static function (string $string) {
+                return "'" . $string . "'";
+            }));
 
         $userPreferences = new UserPreferences($dbi);
         $result = $userPreferences->load();
@@ -202,8 +204,10 @@ public function testSave(): void
             ->will($this->returnValue(true));
 
         $dbi->expects($this->any())
-            ->method('escapeString')
-            ->will($this->returnArgument(0));
+            ->method('quoteString')
+            ->will($this->returnCallback(static function (string $string) {
+                return "'" . $string . "'";
+            }));
 
         $userPreferences = new UserPreferences($dbi);
         $result = $userPreferences->save([1]);
@@ -236,8 +240,10 @@ public function testSave(): void
             ->with(Connection::TYPE_CONTROL)
             ->will($this->returnValue('err1'));
         $dbi->expects($this->any())
-            ->method('escapeString')
-            ->will($this->returnArgument(0));
+            ->method('quoteString')
+            ->will($this->returnCallback(static function (string $string) {
+                return "'" . $string . "'";
+            }));
 
         $userPreferences = new UserPreferences($dbi);
         $result = $userPreferences->save([1]);
