Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

$this->dbutil->backup(), driver mysql, table name escaped #1879

Closed
wants to merge 2 commits into from

3 participants

@tomcode

The table name was not everywhere escaped, table names like 'references' would cause an error.

@ckdarby

Rest of the functions perform the same stuff in the utility file so this looks valid to me.

@narfbg Can you take a look at this when you get a chance.

@tomcode

For info,

I've created backups in three variants:

  • plain,
  • with option add_drop
  • and with options add_drop and add_insert

I then created new data bases of the files

@narfbg
Owner

There will be no 2.1.4 release and this is already fixed in develop - closing.

@narfbg narfbg closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 11, 2012
  1. @tomcode

    mysql_utility::_backup() : escape table name

    tomcode authored
    - queries were only partially escaped
  2. @tomcode

    Update change log

    tomcode authored
This page is out of date. Refresh to see the latest.
View
16 system/database/drivers/mysql/mysql_utility.php
@@ -85,6 +85,9 @@ function _backup($params = array())
// Extract the prefs for simplicity
extract($params);
+
+ // Escape table name for output
+ $db_escaped = $this->db->_escape_identifiers($this->db->database);
// Build the output
$output = '';
foreach ((array)$tables as $table)
@@ -95,8 +98,11 @@ function _backup($params = array())
continue;
}
+ // Escape table name
+ $table_escaped = $this->db->_escape_identifiers($table);
+
// Get the table schema
- $query = $this->db->query("SHOW CREATE TABLE `".$this->db->database.'`.`'.$table.'`');
+ $query = $this->db->query("SHOW CREATE TABLE ".$db_escaped.'.'.$table_escaped);
// No result means the table name was invalid
if ($query === FALSE)
@@ -105,11 +111,11 @@ function _backup($params = array())
}
// Write out the table schema
- $output .= '#'.$newline.'# TABLE STRUCTURE FOR: '.$table.$newline.'#'.$newline.$newline;
+ $output .= '#'.$newline.'# TABLE STRUCTURE FOR: '.$table_escaped.$newline.'#'.$newline.$newline;
if ($add_drop == TRUE)
{
- $output .= 'DROP TABLE IF EXISTS '.$table.';'.$newline.$newline;
+ $output .= 'DROP TABLE IF EXISTS '.$table_escaped.';'.$newline.$newline;
}
$i = 0;
@@ -129,7 +135,7 @@ function _backup($params = array())
}
// Grab all the data from the current table
- $query = $this->db->query("SELECT * FROM $table");
+ $query = $this->db->query("SELECT * FROM .$table_escaped");
if ($query->num_rows() == 0)
{
@@ -196,7 +202,7 @@ function _backup($params = array())
$val_str = preg_replace( "/, $/" , "" , $val_str);
// Build the INSERT string
- $output .= 'INSERT INTO '.$table.' ('.$field_str.') VALUES ('.$val_str.');'.$newline;
+ $output .= 'INSERT INTO '.$table_escaped.' ('.$field_str.') VALUES ('.$val_str.');'.$newline;
}
$output .= $newline.$newline;
View
8 user_guide/changelog.html
@@ -57,6 +57,14 @@
<h1>Change Log</h1>
+<h2>Version 2.1.4</h2>
+<p>Release Date: unreleased</p>
+
+<h3>Bug fixes for 2.1.4:</h3>
+<ul>
+ <li>Fixed a bug in the mysql driver method <a href="database/utilities.html#backup">$this->dbutil->backup()</a>, the table name was only partially escaped.</li>
+</ul>
+
<h2>Version 2.1.3</h2>
<p>Release Date: October 8, 2012</p>
Something went wrong with that request. Please try again.