We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
1 parent 03eca81 commit 25b9334Copy full SHA for 25b9334
libs/picodb/lib/PicoDb/Database.php
@@ -5,6 +5,7 @@
5
use Closure;
6
use PDOException;
7
use LogicException;
8
+use PicoDb\SQLException;
9
use PicoDb\Driver\Mssql;
10
use PicoDb\Driver\Sqlite;
11
use PicoDb\Driver\Mysql;
@@ -215,6 +216,11 @@ public function escapeIdentifier($value, $table = '')
215
216
return $value;
217
}
218
219
+ // Avoid potential SQL injection
220
+ if (preg_match('/^[a-z0-9_]+$/', $value) === 0) {
221
+ throw new SQLException('Invalid identifier: '.$value);
222
+ }
223
+
224
if (! empty($table)) {
225
return $this->driver->escape($table).'.'.$this->driver->escape($value);
226
0 commit comments