Merge pull request #18201 from kamil-tekiela/quoteString-in-UserGroups

Use quoteString in UserGroups
phpmyadmin · Mar 3, 2023 · a659874 · a659874
2 parents 8123a81 + a6cfa89
commit a659874
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 16 deletions.
diff --git a/libraries/classes/ConfigStorage/UserGroups.php b/libraries/classes/ConfigStorage/UserGroups.php
@@ -47,8 +47,7 @@ public static function getHtmlForListingUsersofAGroup(
         $usersTable = Util::backquote($configurableMenusFeature->database)
             . '.' . Util::backquote($configurableMenusFeature->users);
         $sql_query = 'SELECT `username` FROM ' . $usersTable
-            . " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
-            . "'";
+            . ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL);
         $result = $GLOBALS['dbi']->tryQueryAsControlUser($sql_query);
         if ($result) {
             $i = 0;
@@ -220,8 +219,7 @@ public static function getHtmlToEditUserGroup(
             $groupTable = Util::backquote($configurableMenusFeature->database)
                 . '.' . Util::backquote($configurableMenusFeature->userGroups);
             $sql_query = 'SELECT * FROM ' . $groupTable
-                . " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
-                . "'";
+                . ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL);
             $result = $GLOBALS['dbi']->tryQueryAsControlUser($sql_query);
             if ($result) {
                 foreach ($result as $row) {
@@ -315,8 +313,7 @@ public static function edit(
 
         if (! $new) {
             $sql_query = 'DELETE FROM ' . $groupTable
-                . " WHERE `usergroup`='" . $GLOBALS['dbi']->escapeString($userGroup)
-                . "';";
+                . ' WHERE `usergroup`=' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL) . ';';
             $GLOBALS['dbi']->queryAsControlUser($sql_query);
         }
 
@@ -333,7 +330,8 @@ public static function edit(
 
                 $tabName = $tabGroupName . '_' . $tab;
                 $allowed = isset($_POST[$tabName]) && $_POST[$tabName] === 'Y';
-                $sql_query .= "('" . $GLOBALS['dbi']->escapeString($userGroup) . "', '" . $tabName . "', '"
+                $sql_query .= '(' . $GLOBALS['dbi']->quoteString($userGroup, Connection::TYPE_CONTROL)
+                    . ', ' . $GLOBALS['dbi']->quoteString($tabName, Connection::TYPE_CONTROL) . ", '"
                     . ($allowed ? 'Y' : 'N') . "')";
                 $first = false;
             }

diff --git a/psalm-baseline.xml b/psalm-baseline.xml
@@ -902,12 +902,6 @@
     </RedundantCondition>
   </file>
   <file src="libraries/classes/ConfigStorage/UserGroups.php">
-    <DeprecatedMethod>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-      <code>escapeString</code>
-    </DeprecatedMethod>
     <MixedArgumentTypeCoercion>
       <code>$tabNames</code>
     </MixedArgumentTypeCoercion>

diff --git a/test/classes/ConfigStorage/UserGroupsTest.php b/test/classes/ConfigStorage/UserGroupsTest.php
@@ -140,9 +140,8 @@ public function testGetHtmlToEditUserGroup(): void
                     ],
                 ];
             }));
-        $dbi->expects($this->any())
-            ->method('escapeString')
-            ->will($this->returnArgument(0));
+        $dbi->expects($this->any())->method('quoteString')
+            ->will($this->returnCallback(static fn (string $string): string => "'" . $string . "'"));
 
         $GLOBALS['dbi'] = $dbi;