BUGFIX: fixed broken quoting of special chars

mattclegg · Dec 15, 2010 · 5705504 · 5705504
1 parent e92d12e
commit 5705504
Show file tree

Hide file tree

Showing 4 changed files with 312 additions and 271 deletions.
diff --git a/code/DBP.php b/code/DBP.php
@@ -1,82 +1,82 @@
-<?php
-
-class DBP {
-
-	public static $truncate_text_longer = 50;
-
-	public static $records_per_page = 10;
-
-	public static $adapters = array(
-		'MySQLDatabase' => 'MySQL',
-		'SQLiteDatabase' => 'SQLite',
-		'MSSQLDatabase' => 'MSSQL',
-		'PostgreSQLDatabase' => 'Postgres',
-	);
-
-	static function select($column, $table, $filter = null, $order = null, $limit = null, $offset = null) {
-		switch(DB::getConn()->getDatabaseServer()) {
-			case 'mssql':
-				if($filter) $filter = sprintf(" WHERE (%s)\n", $filter);
-				if(empty($order)) $order = '"ID" ASC';
-				if($limit || $offset) {
-					return sprintf('WITH results AS (
-						    SELECT 
-						        %s,
-						        rowNo_hide = ROW_NUMBER() OVER( ORDER BY %s )
-						    FROM "%s"
-							%s
-						) 
-						SELECT * 
-						FROM results
-						WHERE rowNo_hide between %d and %d
-						', $column, $order, $table, $filter, $offset, $offset + $limit);
-				} else {
-					return sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
-				}
-			case 'oracle':
-				if($filter) $filter = sprintf(" WHERE (%s)\n", $filter);
-				if(empty($order)) $order = '"ID" ASC';
-				if($limit || $offset) {
-					$select = sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
-					if(isset($offset)) $text = "SELECT $column FROM ($select) WHERE ROWNUM BETWEEN $offset AND " . ($offset + $limit);
-					else $text = "SELECT $column FROM ($select) WHERE ROWNUM <= " . $limit;
-					return $text;
-				} else {
-					return sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
-				}
-			default:
-				if($filter) $filter = sprintf(" WHERE (%s)", $filter);
-				if($order) $order = sprintf(" ORDER BY %s", $order);
-				if($limit) $limit = isset($offset) ? sprintf(" LIMIT %d OFFSET %d", $limit, $offset) : sprintf(" LIMIT %d", $limit);
-				return sprintf('SELECT %s FROM "%s"%s%s%s', $column, $table, $filter, $order, $limit);
-		}
-	}
-}
-
-class DBP_Controller extends Controller {
-
-	protected $instance;
-	protected $model;
-
-	public function __construct($id = null) {
-		parent::__construct();
-		if(!preg_match('/^DBP_([a-z]+)_Controller$/i', get_class($this), $matches)) throw new Exception(get_class($this) . ' can\'t be instantiated');
-		$this->model = $model = $matches[1];
-		$modelClass = 'DBP_' . $matches[1];
-		if(!preg_match('/^[a-z0-9_\.]*$/i', $id)) throw new Exception('Invalid ' . $model . ' ID "' . $request->Param('ID') . '"');
-		$this->instance = new $modelClass($id);
-	}
-
-	function init() {
-		parent::init();
-		if(!Permission::check('ADMIN')) return Security::permissionFailure($this);
-	}
-
-	function show() {
-		return $this->instance->renderWith('DBP_' . $this->model);
-	}
-
-	function Link() {
-		foreach(self::$controller_stack as $c) if($c != $this && method_exists($c, 'Link')) return $c->Link();
-	}
+<?php
+
+class DBP {
+
+	public static $truncate_text_longer = 50;
+
+	public static $records_per_page = 10;
+
+	public static $adapters = array(
+		'MySQLDatabase' => 'MySQL',
+		'SQLite3Database' => 'SQLite',
+		'MSSQLDatabase' => 'MSSQL',
+		'PostgreSQLDatabase' => 'Postgres',
+	);
+
+	static function select($column, $table, $filter = null, $order = null, $limit = null, $offset = null) {
+		switch(DB::getConn()->getDatabaseServer()) {
+			case 'mssql':
+				if($filter) $filter = sprintf(" WHERE (%s)\n", $filter);
+				if(empty($order)) $order = '"ID" ASC';
+				if($limit || $offset) {
+					return sprintf('WITH results AS (
+						    SELECT 
+						        %s,
+						        rowNo_hide = ROW_NUMBER() OVER( ORDER BY %s )
+						    FROM "%s"
+							%s
+						) 
+						SELECT * 
+						FROM results
+						WHERE rowNo_hide between %d and %d
+						', $column, $order, $table, $filter, $offset, $offset + $limit);
+				} else {
+					return sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
+				}
+			case 'oracle':
+				if($filter) $filter = sprintf(" WHERE (%s)\n", $filter);
+				if(empty($order)) $order = '"ID" ASC';
+				if($limit || $offset) {
+					$select = sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
+					if(isset($offset)) $text = "SELECT $column FROM ($select) WHERE ROWNUM BETWEEN $offset AND " . ($offset + $limit);
+					else $text = "SELECT $column FROM ($select) WHERE ROWNUM <= " . $limit;
+					return $text;
+				} else {
+					return sprintf('SELECT %s FROM "%s"%s', $column, $table, $filter);
+				}
+			default:
+				if($filter) $filter = sprintf(" WHERE (%s)", $filter);
+				if($order) $order = sprintf(" ORDER BY %s", $order);
+				if($limit) $limit = isset($offset) ? sprintf(" LIMIT %d OFFSET %d", $limit, $offset) : sprintf(" LIMIT %d", $limit);
+				return sprintf('SELECT %s FROM "%s"%s%s%s', $column, $table, $filter, $order, $limit);
+		}
+	}
+}
+
+class DBP_Controller extends Controller {
+
+	protected $instance;
+	protected $model;
+
+	public function __construct($id = null) {
+		parent::__construct();
+		if(!preg_match('/^DBP_([a-z]+)_Controller$/i', get_class($this), $matches)) throw new Exception(get_class($this) . ' can\'t be instantiated');
+		$this->model = $model = $matches[1];
+		$modelClass = 'DBP_' . $matches[1];
+		if(!preg_match('/^[a-z0-9_\.]*$/i', $id)) throw new Exception('Invalid ' . $model . ' ID "' . $request->Param('ID') . '"');
+		$this->instance = new $modelClass($id);
+	}
+
+	function init() {
+		parent::init();
+		if(!Permission::check('ADMIN')) return Security::permissionFailure($this);
+	}
+
+	function show() {
+		return $this->instance->renderWith('DBP_' . $this->model);
+	}
+
+	function Link() {
+		foreach(self::$controller_stack as $c) if($c != $this && method_exists($c, 'Link')) return $c->Link();
+	}
 }
diff --git a/code/DBP_Database.php b/code/DBP_Database.php
@@ -183,7 +183,7 @@ function backup($tables, $dialect) {
 					if(is_null($cell)) {
 						$cell = 'NULL';
 					} else if(is_string($cell)) {
-						$cell = "'" . str_replace('\'', '\'\'', $cell) . "'";
+						$cell = DBP_SQLDialect::get($dialect)->escape($cell);
 					}
 					$cells[] = $cell;
 				}

diff --git a/code/DBP_SQLDialect.php b/code/DBP_SQLDialect.php
@@ -2,11 +2,15 @@
 
 class DBP_SQLDialect {
 
-	static function get() {
-		if(DB::getConn() instanceof MySQLDatabase) {
+	static function get($type = null) {
+
+		if($type) {
+			$class = "DBP_{$type}_Dialect";
+			return new $class();
+		} else if(DB::getConn() instanceof MySQLDatabase) {
 			return new DBP_MySQL_Dialect();
 		} else if(DB::getConn() instanceof SQLite3Database) {
-			return new DBP_SQLite3_Dialect();
+			return new DBP_SQLite_Dialect();
 		} else if(DB::getConn() instanceof MSSQLDatabase) {
 			return new DBP_MSSQL_Dialect();
 		} else if(DB::getConn() instanceof PostgresDatabase) {
@@ -21,15 +25,23 @@ function dropTable($table) {
 	function dropColumns($table, $columns) {
 		DB::query("ALTER TABLE \"$table\" DROP \"" . implode('", DROP "', $columns) . "\"");
 	}
+
+	function escape($string) {
+		return str_replace('\'', '\'\'', $string);
+	}
 }
 
-class DBP_MySQL_Dialect extends DBP_SQLDialect {}
+class DBP_MySQL_Dialect extends DBP_SQLDialect {
+	function escape($string) {
+		return addslashes($string);
+	}
+}
 
 class DBP_MSSQL_Dialect extends DBP_SQLDialect {}
 
 class DBP_Postgres_Dialect extends DBP_SQLDialect {}
 
-class DBP_SQLite3_Dialect extends DBP_SQLDialect {
+class DBP_SQLite_Dialect extends DBP_SQLDialect {
 
 	function dropColumns($table, $columns) {