Skip to content

Commit 25b9334

Browse files
committed
Avoid potential SQL injections without breaking compatibility with plugins
1 parent 03eca81 commit 25b9334

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

Diff for: libs/picodb/lib/PicoDb/Database.php

+6
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
use Closure;
66
use PDOException;
77
use LogicException;
8+
use PicoDb\SQLException;
89
use PicoDb\Driver\Mssql;
910
use PicoDb\Driver\Sqlite;
1011
use PicoDb\Driver\Mysql;
@@ -215,6 +216,11 @@ public function escapeIdentifier($value, $table = '')
215216
return $value;
216217
}
217218

219+
// Avoid potential SQL injection
220+
if (preg_match('/^[a-z0-9_]+$/', $value) === 0) {
221+
throw new SQLException('Invalid identifier: '.$value);
222+
}
223+
218224
if (! empty($table)) {
219225
return $this->driver->escape($table).'.'.$this->driver->escape($value);
220226
}

0 commit comments

Comments
 (0)