Escape quotes in $db->quoteName

[csthomas]

Summary of Changes

Escape quote char in $db->quoteName() method.

It can be considered as a little security fix,
but joomla (with correct sanitise aliases/columns) is secure also without this patch.

I based on:

• doctrine/dbal@925b258
• DBAL-149: Doctrine\DBAL\Platforms\AbstractPlatform::quoteIdentifier WRONG implementation doctrine/dbal#1304
• https://github.com/zendframework/zend-db/blob/master/src/Adapter/Platform/AbstractPlatform.php#L74
• https://github.com/zendframework/zend-db/blob/master/src/Adapter/Platform/Mysql.php#L27

Testing Instructions

Code review or
Create and execute each query for specified database type:

$db = JFactory::getDbo();
$q1 = $db->getQuery(true)->select($db->quoteName('title', 'protected`title'))->from('#__content')->where('id=1');

// Without patch it generate error on mysql but it works on other databases
$db->setQuery($q1)->loadAssoc();

$db = JFactory::getDbo();
$q2 = $db->getQuery(true)->select($db->quoteName('title', 'protected"title'))->from('#__content')->where('id=1');

// Without patch it generate error on postgresql but it works on other databases
$db->setQuery($q2)->loadAssoc();

$db = JFactory::getDbo();
$q3 = $db->getQuery(true)->select($db->quoteName('title', 'protected]title'))->from('#__content')->where('id=1');

// Without patch it generate error on mssql but it works on other databases
$db->setQuery($q3)->loadAssoc();

Expected result - valid queries

• on MySQL
  • SELECT title AS `protected``title` FROM #__content where id=1
• on postgreSQL
  • SELECT title AS "protected""title" FROM #__content where id=1
• on MSSQL
  • SELECT title AS [protected]]title] FROM #__content where id=1

Actual result - invalid queries

• on MySQL
  • SELECT title AS `protected`title` FROM #__content where id=1
• on postgreSQL
  • SELECT title AS "protected"title" FROM #__content where id=1
• on MSSQL
  • SELECT title AS [protected]title] FROM #__content where id=1

Documentation Changes Required

No

[beat]

Reviewed source code, and looks ok.
Based on MSSQL official doc at Microsoft, second case seems ok too:
https://technet.microsoft.com/en-us/library/ms176027(v=sql.105).aspx#

[csthomas]

Great, but as usual we need 2 tests, I think that you review can be used as success test.
You can mark it as success at https://issues.joomla.org/tracker/joomla-cms/13825

[marrouchi]

I have tested this item ✅ successfully on 2305cf3

Tested on MySQL.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13825.}

[alikon]

I have tested this item ✅ successfully on 2305cf3

on mssql
on postgresql

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13825.}

[wilsonge]

With a small degree of trepidation given previous attempts to modify this function. Merged

[csthomas]

Then I will add a new PR with tests for quoteName for 3 dbs which will be tested by appveyor.