Skip to content

Commit a659874

Browse files
MauricioFauthMauricioFauth
authored
Merge pull request #18201 from kamil-tekiela/quoteString-in-UserGroups
Use quoteString in UserGroups
2 parents 8123a81 + a6cfa89 commit a659874

3 files changed

Lines changed: 7 additions & 16 deletions

File tree

libraries/classes/ConfigStorage/UserGroups.php

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,8 +47,7 @@ public static function getHtmlForListingUsersofAGroup(
4747
$usersTable = Util::backquote($configurableMenusFeature->database)
4848
. '.' . Util::backquote($configurableMenusFeature->users);
4949
$sql_query = 'SELECT `username` FROM ' . $usersTable
50-
. " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
51-
. "'";
50+
. ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL);
5251
$result = $GLOBALS['dbi']->tryQueryAsControlUser($sql_query);
5352
if ($result) {
5453
$i = 0;
@@ -220,8 +219,7 @@ public static function getHtmlToEditUserGroup(
220219
$groupTable = Util::backquote($configurableMenusFeature->database)
221220
. '.' . Util::backquote($configurableMenusFeature->userGroups);
222221
$sql_query = 'SELECT * FROM ' . $groupTable
223-
. " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
224-
. "'";
222+
. ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL);
225223
$result = $GLOBALS['dbi']->tryQueryAsControlUser($sql_query);
226224
if ($result) {
227225
foreach ($result as $row) {
@@ -315,8 +313,7 @@ public static function edit(
315313

316314
if (! $new) {
317315
$sql_query = 'DELETE FROM ' . $groupTable
318-
. " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
319-
. "';";
316+
. ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL) . ';';
320317
$GLOBALS['dbi']->queryAsControlUser($sql_query);
321318
}
322319

@@ -333,7 +330,8 @@ public static function edit(
333330

334331
$tabName = $tabGroupName . '_' . $tab;
335332
$allowed = isset($_POST[$tabName]) && $_POST[$tabName] === 'Y';
336-
$sql_query .= "('" . $GLOBALS['dbi']->escapeString($userGroup) . "', '" . $tabName . "', '"
333+
$sql_query .= '(' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL)
334+
. ', ' . $GLOBALS['dbi']->quoteString($tabName, Connection::TYPE_CONTROL) . ", '"
337335
. ($allowed ? 'Y' : 'N') . "')";
338336
$first = false;
339337
}

psalm-baseline.xml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -902,12 +902,6 @@
902902
</RedundantCondition>
903903
</file>
904904
<file src="libraries/classes/ConfigStorage/UserGroups.php">
905-
<DeprecatedMethod>
906-
<code>escapeString</code>
907-
<code>escapeString</code>
908-
<code>escapeString</code>
909-
<code>escapeString</code>
910-
</DeprecatedMethod>
911905
<MixedArgumentTypeCoercion>
912906
<code>$tabNames</code>
913907
</MixedArgumentTypeCoercion>

test/classes/ConfigStorage/UserGroupsTest.php

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -140,9 +140,8 @@ public function testGetHtmlToEditUserGroup(): void
140140
],
141141
];
142142
}));
143-
$dbi->expects($this->any())
144-
->method('escapeString')
145-
->will($this->returnArgument(0));
143+
$dbi->expects($this->any())->method('quoteString')
144+
->will($this->returnCallback(static fn (string $string): string => "'" . $string . "'"));
146145

147146
$GLOBALS['dbi'] = $dbi;
148147

0 commit comments

Comments
 (0)