Skip to content

Commit dc3dc0d

Browse files
MauricioFauthMauricioFauth
authored
Merge pull request #17866 from kamil-tekiela/escapeString-to-quoteString
Introducing quoteString()
2 parents 17d9855 + 3b49a5b commit dc3dc0d

20 files changed

Lines changed: 823 additions & 186 deletions

doc/security.rst

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ mysql control connection. This controlconnection can have additional privileges
6464
which the logged in user does not poses. E.g. access the :ref:`linked-tables`.
6565

6666
User data that is included in (administrative) queries should always be run
67-
through DatabaseInterface::escapeString().
67+
through DatabaseInterface::quoteString().
6868

6969
.. seealso::
7070

libraries/classes/Bookmark.php

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -120,10 +120,10 @@ public function save(): bool
120120
$query = 'INSERT INTO ' . Util::backquote($bookmarkFeature->database)
121121
. '.' . Util::backquote($bookmarkFeature->bookmark)
122122
. ' (id, dbase, user, query, label) VALUES (NULL, '
123-
. "'" . $this->dbi->escapeString($this->database) . "', "
124-
. "'" . $this->dbi->escapeString($this->currentUser) . "', "
125-
. "'" . $this->dbi->escapeString($this->query) . "', "
126-
. "'" . $this->dbi->escapeString($this->label) . "')";
123+
. $this->dbi->quoteString($this->database) . ', '
124+
. $this->dbi->quoteString($this->currentUser) . ', '
125+
. $this->dbi->quoteString($this->query) . ', '
126+
. $this->dbi->quoteString($this->label) . ')';
127127

128128
return (bool) $this->dbi->query($query, DatabaseInterface::CONNECT_CONTROL);
129129
}
@@ -249,9 +249,9 @@ public static function getList(
249249
$query = 'SELECT * FROM ' . Util::backquote($bookmarkFeature->database)
250250
. '.' . Util::backquote($bookmarkFeature->bookmark)
251251
. " WHERE ( `user` = ''"
252-
. " OR `user` = '" . $dbi->escapeString($user) . "' )";
252+
. ' OR `user` = ' . $dbi->quoteString($user) . ' )';
253253
if ($db !== false) {
254-
$query .= " AND dbase = '" . $dbi->escapeString($db) . "'";
254+
$query .= ' AND dbase = ' . $dbi->quoteString($db);
255255
}
256256

257257
$query .= ' ORDER BY label ASC';
@@ -302,10 +302,9 @@ public static function get(
302302

303303
$query = 'SELECT * FROM ' . Util::backquote($bookmarkFeature->database)
304304
. '.' . Util::backquote($bookmarkFeature->bookmark)
305-
. " WHERE dbase = '" . $dbi->escapeString($db->getName()) . "'";
305+
. ' WHERE dbase = ' . $dbi->quoteString($db->getName());
306306
if (! $action_bookmark_all) {
307-
$query .= " AND (user = '"
308-
. $dbi->escapeString($user) . "'";
307+
$query .= ' AND (user = ' . $dbi->quoteString($user);
309308
if (! $exact_user_match) {
310309
$query .= " OR user = ''";
311310
}
@@ -314,7 +313,7 @@ public static function get(
314313
}
315314

316315
$query .= ' AND ' . Util::backquote($id_field)
317-
. " = '" . $dbi->escapeString((string) $id) . "' LIMIT 1";
316+
. ' = ' . $dbi->quoteString((string) $id) . ' LIMIT 1';
318317

319318
$result = $dbi->fetchSingleRow($query, DatabaseInterface::FETCH_ASSOC, DatabaseInterface::CONNECT_CONTROL);
320319
if ($result !== null) {

libraries/classes/ConfigStorage/Relation.php

Lines changed: 55 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -428,11 +428,10 @@ public function getForeigners($db, $table, $column = '', $source = 'both')
428428
. '`foreign_table`, `foreign_field`'
429429
. ' FROM ' . Util::backquote($relationFeature->database)
430430
. '.' . Util::backquote($relationFeature->relation)
431-
. ' WHERE `master_db` = \'' . $this->dbi->escapeString($db) . '\''
432-
. ' AND `master_table` = \'' . $this->dbi->escapeString($table) . '\'';
431+
. ' WHERE `master_db` = ' . $this->dbi->quoteString($db)
432+
. ' AND `master_table` = ' . $this->dbi->quoteString($table);
433433
if (strlen($column) > 0) {
434-
$rel_query .= ' AND `master_field` = '
435-
. '\'' . $this->dbi->escapeString($column) . '\'';
434+
$rel_query .= ' AND `master_field` = ' . $this->dbi->quoteString($column);
436435
}
437436

438437
$foreign = $this->dbi->fetchResult($rel_query, 'master_field', null, DatabaseInterface::CONNECT_CONTROL);
@@ -500,8 +499,8 @@ public function getDisplayField($db, $table)
500499
$disp_query = 'SELECT `display_field`'
501500
. ' FROM ' . Util::backquote($displayFeature->database)
502501
. '.' . Util::backquote($displayFeature->tableInfo)
503-
. ' WHERE `db_name` = \'' . $this->dbi->escapeString((string) $db) . '\''
504-
. ' AND `table_name` = \'' . $this->dbi->escapeString((string) $table) . '\'';
502+
. ' WHERE `db_name` = ' . $this->dbi->quoteString((string) $db)
503+
. ' AND `table_name` = ' . $this->dbi->quoteString((string) $table);
505504

506505
$row = $this->dbi->fetchSingleRow(
507506
$disp_query,
@@ -581,7 +580,7 @@ public function getDbComment(string $db): string
581580
$com_qry = 'SELECT `comment`'
582581
. ' FROM ' . Util::backquote($columnCommentsFeature->database)
583582
. '.' . Util::backquote($columnCommentsFeature->columnInfo)
584-
. ' WHERE db_name = \'' . $this->dbi->escapeString($db) . '\''
583+
. ' WHERE db_name = ' . $this->dbi->quoteString($db)
585584
. ' AND table_name = \'\''
586585
. ' AND column_name = \'(db_comment)\'';
587586
$com_rs = $this->dbi->tryQueryAsControlUser($com_qry);
@@ -639,19 +638,19 @@ public function setDbComment($db, $comment = ''): bool
639638
. Util::backquote($columnCommentsFeature->database) . '.'
640639
. Util::backquote($columnCommentsFeature->columnInfo)
641640
. ' (`db_name`, `table_name`, `column_name`, `comment`)'
642-
. ' VALUES (\''
643-
. $this->dbi->escapeString($db)
644-
. "', '', '(db_comment)', '"
645-
. $this->dbi->escapeString($comment)
646-
. "') "
641+
. ' VALUES ('
642+
. $this->dbi->quoteString($db)
643+
. ", '', '(db_comment)', "
644+
. $this->dbi->quoteString($comment)
645+
. ') '
647646
. ' ON DUPLICATE KEY UPDATE '
648-
. "`comment` = '" . $this->dbi->escapeString($comment) . "'";
647+
. '`comment` = ' . $this->dbi->quoteString($comment);
649648
} else {
650649
$upd_query = 'DELETE FROM '
651650
. Util::backquote($columnCommentsFeature->database) . '.'
652651
. Util::backquote($columnCommentsFeature->columnInfo)
653-
. ' WHERE `db_name` = \'' . $this->dbi->escapeString($db)
654-
. '\'
652+
. ' WHERE `db_name` = ' . $this->dbi->quoteString($db)
653+
. '
655654
AND `table_name` = \'\'
656655
AND `column_name` = \'(db_comment)\'';
657656
}
@@ -706,11 +705,11 @@ public function setHistory($db, $table, $username, $sqlquery): void
706705
`timevalue`,
707706
`sqlquery`)
708707
VALUES
709-
(\'' . $this->dbi->escapeString($username) . '\',
710-
\'' . $this->dbi->escapeString($db) . '\',
711-
\'' . $this->dbi->escapeString($table) . '\',
708+
(' . $this->dbi->quoteString($username) . ',
709+
' . $this->dbi->quoteString($db) . ',
710+
' . $this->dbi->quoteString($table) . ',
712711
NOW(),
713-
\'' . $this->dbi->escapeString($sqlquery) . '\')'
712+
' . $this->dbi->quoteString($sqlquery) . ')'
714713
);
715714

716715
$this->purgeHistory($username);
@@ -749,7 +748,7 @@ public function getHistory($username)
749748
`timevalue`
750749
FROM ' . Util::backquote($sqlHistoryFeature->database)
751750
. '.' . Util::backquote($sqlHistoryFeature->history) . '
752-
WHERE `username` = \'' . $this->dbi->escapeString($username) . '\'
751+
WHERE `username` = ' . $this->dbi->quoteString($username) . '
753752
ORDER BY `id` DESC';
754753

755754
return $this->dbi->fetchResult($hist_query, null, null, DatabaseInterface::CONNECT_CONTROL);
@@ -774,7 +773,7 @@ public function purgeHistory($username): void
774773
SELECT `timevalue`
775774
FROM ' . Util::backquote($sqlHistoryFeature->database)
776775
. '.' . Util::backquote($sqlHistoryFeature->history) . '
777-
WHERE `username` = \'' . $this->dbi->escapeString($username) . '\'
776+
WHERE `username` = ' . $this->dbi->quoteString($username) . '
778777
ORDER BY `timevalue` DESC
779778
LIMIT ' . $GLOBALS['cfg']['QueryHistoryMax'] . ', 1';
780779

@@ -788,8 +787,8 @@ public function purgeHistory($username): void
788787
'DELETE FROM '
789788
. Util::backquote($sqlHistoryFeature->database) . '.'
790789
. Util::backquote($sqlHistoryFeature->history) . '
791-
WHERE `username` = \'' . $this->dbi->escapeString($username)
792-
. '\'
790+
WHERE `username` = ' . $this->dbi->quoteString($username)
791+
. '
793792
AND `timevalue` <= \'' . $max_time . '\''
794793
);
795794
}
@@ -1131,13 +1130,10 @@ public function renameField($db, $table, $field, $new_name): void
11311130
$table_query = 'UPDATE '
11321131
. Util::backquote($relationParameters->displayFeature->database) . '.'
11331132
. Util::backquote($relationParameters->displayFeature->tableInfo)
1134-
. ' SET display_field = \'' . $this->dbi->escapeString($new_name) . '\''
1135-
. ' WHERE db_name = \'' . $this->dbi->escapeString($db)
1136-
. '\''
1137-
. ' AND table_name = \'' . $this->dbi->escapeString($table)
1138-
. '\''
1139-
. ' AND display_field = \'' . $this->dbi->escapeString($field)
1140-
. '\'';
1133+
. ' SET display_field = ' . $this->dbi->quoteString($new_name)
1134+
. ' WHERE db_name = ' . $this->dbi->quoteString($db)
1135+
. ' AND table_name = ' . $this->dbi->quoteString($table)
1136+
. ' AND display_field = ' . $this->dbi->quoteString($field);
11411137
$this->dbi->queryAsControlUser($table_query);
11421138
}
11431139

@@ -1148,25 +1144,19 @@ public function renameField($db, $table, $field, $new_name): void
11481144
$table_query = 'UPDATE '
11491145
. Util::backquote($relationParameters->relationFeature->database) . '.'
11501146
. Util::backquote($relationParameters->relationFeature->relation)
1151-
. ' SET master_field = \'' . $this->dbi->escapeString($new_name) . '\''
1152-
. ' WHERE master_db = \'' . $this->dbi->escapeString($db)
1153-
. '\''
1154-
. ' AND master_table = \'' . $this->dbi->escapeString($table)
1155-
. '\''
1156-
. ' AND master_field = \'' . $this->dbi->escapeString($field)
1157-
. '\'';
1147+
. ' SET master_field = ' . $this->dbi->quoteString($new_name)
1148+
. ' WHERE master_db = ' . $this->dbi->quoteString($db)
1149+
. ' AND master_table = ' . $this->dbi->quoteString($table)
1150+
. ' AND master_field = ' . $this->dbi->quoteString($field);
11581151
$this->dbi->queryAsControlUser($table_query);
11591152

11601153
$table_query = 'UPDATE '
11611154
. Util::backquote($relationParameters->relationFeature->database) . '.'
11621155
. Util::backquote($relationParameters->relationFeature->relation)
1163-
. ' SET foreign_field = \'' . $this->dbi->escapeString($new_name) . '\''
1164-
. ' WHERE foreign_db = \'' . $this->dbi->escapeString($db)
1165-
. '\''
1166-
. ' AND foreign_table = \'' . $this->dbi->escapeString($table)
1167-
. '\''
1168-
. ' AND foreign_field = \'' . $this->dbi->escapeString($field)
1169-
. '\'';
1156+
. ' SET foreign_field = ' . $this->dbi->quoteString($new_name)
1157+
. ' WHERE foreign_db = ' . $this->dbi->quoteString($db)
1158+
. ' AND foreign_table = ' . $this->dbi->quoteString($table)
1159+
. ' AND foreign_field = ' . $this->dbi->quoteString($field);
11701160
$this->dbi->queryAsControlUser($table_query);
11711161
}
11721162

@@ -1194,15 +1184,13 @@ public function renameSingleTable(
11941184
. Util::backquote($configStorageDatabase) . '.'
11951185
. Util::backquote($configStorageTable)
11961186
. ' SET '
1197-
. $db_field . ' = \'' . $this->dbi->escapeString($target_db)
1198-
. '\', '
1199-
. $table_field . ' = \'' . $this->dbi->escapeString($target_table)
1200-
. '\''
1187+
. $db_field . ' = ' . $this->dbi->quoteString($target_db)
1188+
. ', '
1189+
. $table_field . ' = ' . $this->dbi->quoteString($target_table)
12011190
. ' WHERE '
1202-
. $db_field . ' = \'' . $this->dbi->escapeString($source_db) . '\''
1191+
. $db_field . ' = ' . $this->dbi->quoteString($source_db)
12031192
. ' AND '
1204-
. $table_field . ' = \'' . $this->dbi->escapeString($source_table)
1205-
. '\'';
1193+
. $table_field . ' = ' . $this->dbi->quoteString($source_table);
12061194
$this->dbi->queryAsControlUser($query);
12071195
}
12081196

@@ -1293,9 +1281,8 @@ public function renameTable($source_db, $target_db, $source_table, $target_table
12931281
$remove_query = 'DELETE FROM '
12941282
. Util::backquote($relationParameters->pdfFeature->database) . '.'
12951283
. Util::backquote($relationParameters->pdfFeature->tableCoords)
1296-
. " WHERE db_name = '" . $this->dbi->escapeString($source_db) . "'"
1297-
. " AND table_name = '" . $this->dbi->escapeString($source_table)
1298-
. "'";
1284+
. ' WHERE db_name = ' . $this->dbi->quoteString($source_db)
1285+
. ' AND table_name = ' . $this->dbi->quoteString($source_table);
12991286
$this->dbi->queryAsControlUser($remove_query);
13001287
}
13011288
}
@@ -1333,14 +1320,11 @@ public function renameTable($source_db, $target_db, $source_table, $target_table
13331320
$query = 'UPDATE '
13341321
. Util::backquote($relationParameters->navigationItemsHidingFeature->database) . '.'
13351322
. Util::backquote($relationParameters->navigationItemsHidingFeature->navigationHiding)
1336-
. " SET db_name = '" . $this->dbi->escapeString($target_db)
1337-
. "',"
1338-
. " item_name = '" . $this->dbi->escapeString($target_table)
1339-
. "'"
1340-
. " WHERE db_name = '" . $this->dbi->escapeString($source_db)
1341-
. "'"
1342-
. " AND item_name = '" . $this->dbi->escapeString($source_table)
1343-
. "'"
1323+
. ' SET db_name = ' . $this->dbi->quoteString($target_db)
1324+
. ','
1325+
. ' item_name = ' . $this->dbi->quoteString($target_table)
1326+
. ' WHERE db_name = ' . $this->dbi->quoteString($source_db)
1327+
. ' AND item_name = ' . $this->dbi->quoteString($source_table)
13441328
. " AND item_type = 'table'";
13451329
$this->dbi->queryAsControlUser($query);
13461330
}
@@ -1357,9 +1341,9 @@ public function createPage(?string $newpage, PdfFeature $pdfFeature, $db): int
13571341
. Util::backquote($pdfFeature->database) . '.'
13581342
. Util::backquote($pdfFeature->pdfPages)
13591343
. ' (db_name, page_descr)'
1360-
. ' VALUES (\''
1361-
. $this->dbi->escapeString($db) . '\', \''
1362-
. $this->dbi->escapeString($newpage ?: __('no description')) . '\')';
1344+
. ' VALUES ('
1345+
. $this->dbi->quoteString($db) . ', '
1346+
. $this->dbi->quoteString($newpage ?: __('no description')) . ')';
13631347
$this->dbi->tryQueryAsControlUser($ins_query);
13641348

13651349
return $this->dbi->insertId(DatabaseInterface::CONNECT_CONTROL);
@@ -1379,13 +1363,13 @@ public function getChildReferences($db, $table, $column = ''): array
13791363
$rel_query = 'SELECT `column_name`, `table_name`,'
13801364
. ' `table_schema`, `referenced_column_name`'
13811365
. ' FROM `information_schema`.`key_column_usage`'
1382-
. " WHERE `referenced_table_name` = '"
1383-
. $this->dbi->escapeString($table) . "'"
1384-
. " AND `referenced_table_schema` = '"
1385-
. $this->dbi->escapeString($db) . "'";
1366+
. ' WHERE `referenced_table_name` = '
1367+
. $this->dbi->quoteString($table)
1368+
. ' AND `referenced_table_schema` = '
1369+
. $this->dbi->quoteString($db);
13861370
if ($column) {
1387-
$rel_query .= " AND `referenced_column_name` = '"
1388-
. $this->dbi->escapeString($column) . "'";
1371+
$rel_query .= ' AND `referenced_column_name` = '
1372+
. $this->dbi->quoteString($column);
13891373
}
13901374

13911375
return $this->dbi->fetchResult(

0 commit comments

Comments
 (0)