Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not quote table-fields in Aura.Sql.Select #15

Closed
guweigang opened this issue Jun 18, 2012 · 2 comments
Closed

Not quote table-fields in Aura.Sql.Select #15

guweigang opened this issue Jun 18, 2012 · 2 comments
Assignees
@pmjones

Comments

@guweigang
Copy link
Contributor

Hi, i'm using Aura.Sql for a while...

last friday, i check mysql logs for secure purpose. i found a lot of un-quoted fields in sqls. like:

SELECT  id AS `uid`, name, age, sex FROM `rel_rev_file` WHERE age > 25 AND sex = 'female' OR id < 10 GROUP BY sex, age HAVING COUNT(age) > 60 ORDER BY id DESC, age LIMIT 20 OFFSET 40;

it just process field alias and table name, how about other fields???
@pmjones
Copy link
Member

pmjones commented Jul 6, 2012

It'll quote only AS aliases, and fully-qualified (e.g., table.column) names.

@pmjones pmjones closed this as completed Jul 6, 2012
@harikt
Copy link
Member

harikt commented Jul 8, 2012

@pmjones does that means the user should write as for the field ?

Eg: What do you think if the user has something like below

$select = new Aura\Sql\Select($sql);
$select->cols(array('id', 'author_id', 'title', 'body', 'count'));
$select->from('posts');

@ghost ghost assigned pmjones Jul 8, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmjones pmjones

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pmjones @harikt @guweigang