Skip to content
Permalink
Browse files Browse the repository at this point in the history
[fix] Fix columnQuote for �security issue reported by Snyk
  • Loading branch information
catfan committed Oct 11, 2019
1 parent b3f05ed commit 659864b
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/Medoo.php
Expand Up @@ -500,6 +500,11 @@ protected function typeMap($value, $type)

protected function columnQuote($string)
{
if (!preg_match('/^[a-zA-Z0-9]+(\.?[a-zA-Z0-9]+)?$/i', $string))

This comment has been minimized.

Copy link
@jfcherng

jfcherng Oct 12, 2019

Contributor

It's perfect valid to use _ in a column name and I believe it's used quite often. This change would make v1.7.4 literally unusable for most of people.

Not sure about other SQL standard. For MySQL, it's valid to use some of UTF-8 chars as the column name.
https://dev.mysql.com/doc/refman/8.0/en/identifiers.html

This comment has been minimized.

Copy link
@catfan

catfan Oct 12, 2019

Author Owner

Thanks for this great spot. The _ should be added. Although it's possible to use UTF-8 chars for column name, it may have some problem for some databases. Using a-zA-Z0-9_ is enough for most case.

{
throw new InvalidArgumentException("Incorrect column name \"$string\"");
}

if (strpos($string, '.') !== false)
{
return '"' . $this->prefix . str_replace('.', '"."', $string) . '"';
Expand Down

0 comments on commit 659864b

Please sign in to comment.