Skip to content

Commit

Permalink
Replace escapeString in CentralColumns
Browse files Browse the repository at this point in the history 
Signed-off-by: Kamil Tekiela <tekiela246@gmail.com>
  • Loading branch information
@kamil-tekiela
kamil-tekiela committed May 25, 2023
1 parent 68267ac commit e08ba58
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 84 deletions.
80 changes: 40 additions & 40 deletions libraries/classes/Database/CentralColumns.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,10 @@ public function getColumnsList(string $db, int $from = 0, int $num = 25): array
//get current values of $db from central column list
if ($num == 0) {
$query = 'SELECT * FROM ' . Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\';';
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ';';
} else {
$query = 'SELECT * FROM ' . Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\' '
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ' '
. 'LIMIT ' . $from . ', ' . $num . ';';
}

Expand Down Expand Up @@ -152,7 +152,7 @@ public function getCount(string $db): int
$centralListTable = $cfgCentralColumns['table'];
$query = 'SELECT count(db_name) FROM '
. Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\';';
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ';';
$res = $this->dbi->fetchResult($query, null, null, Connection::TYPE_CONTROL);
if (isset($res[0])) {
return (int) $res[0];
Expand Down Expand Up @@ -185,14 +185,14 @@ private function findExistingColNames(
$this->dbi->selectDb($pmadb, Connection::TYPE_CONTROL);
$centralListTable = $cfgCentralColumns['table'];
if ($allFields) {
$query = 'SELECT * FROM ' . Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\' AND col_name IN (' . $cols . ');';
$query = 'SELECT * FROM ' . Util::backquote($centralListTable) . ' WHERE db_name = '
. $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ' AND col_name IN (' . $cols . ');';
$hasList = $this->dbi->fetchResult($query, null, null, Connection::TYPE_CONTROL);
$this->handleColumnExtra($hasList);
} else {
$query = 'SELECT col_name FROM '
. Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\' AND col_name IN (' . $cols . ');';
. Util::backquote($centralListTable) . ' WHERE db_name = '
. $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ' AND col_name IN (' . $cols . ');';
$hasList = $this->dbi->fetchResult($query, null, null, Connection::TYPE_CONTROL);
}

Expand Down Expand Up @@ -238,14 +238,14 @@ private function getInsertQuery(

return 'INSERT INTO '
. Util::backquote($centralListTable) . ' '
. 'VALUES ( \'' . $this->dbi->escapeString($db) . '\' ,'
. '\'' . $this->dbi->escapeString($column) . '\',\''
. $this->dbi->escapeString($type) . '\','
. '\'' . $this->dbi->escapeString((string) $length) . '\',\''
. $this->dbi->escapeString($collation) . '\','
. '\'' . $this->dbi->escapeString($isNull) . '\','
. 'VALUES ( ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ' ,'
. $this->dbi->quoteString($column, Connection::TYPE_CONTROL) . ','
. $this->dbi->quoteString($type, Connection::TYPE_CONTROL) . ','
. $this->dbi->quoteString((string) $length, Connection::TYPE_CONTROL) . ','
. $this->dbi->quoteString($collation, Connection::TYPE_CONTROL) . ','
. $this->dbi->quoteString($isNull, Connection::TYPE_CONTROL) . ','
. '\'' . implode(',', [$extra, $attribute])
. '\',\'' . $this->dbi->escapeString($default) . '\');';
. '\',' . $this->dbi->quoteString($default, Connection::TYPE_CONTROL) . ');';
}

/**
Expand Down Expand Up @@ -286,7 +286,7 @@ public function syncUniqueColumns(
foreach ($fieldSelect as $table) {
$fields[$table] = $this->dbi->getColumns($db, $table, true);
foreach (array_column($fields[$table], 'Field') as $field) {
$cols .= "'" . $this->dbi->escapeString($field) . "',";
$cols .= $this->dbi->quoteString($field, Connection::TYPE_CONTROL) . ',';
}
}

Expand All @@ -308,7 +308,7 @@ public function syncUniqueColumns(
}

foreach ($fieldSelect as $column) {
$cols .= "'" . $this->dbi->escapeString($column) . "',";
$cols .= $this->dbi->quoteString($column, Connection::TYPE_CONTROL) . ',';
}

$hasList = $this->findExistingColNames($db, trim($cols, ','));
Expand Down Expand Up @@ -389,7 +389,7 @@ public function deleteColumnsFromList(
foreach ($fieldSelect as $table) {
$fields[$table] = $this->dbi->getColumnNames($database, $table);
foreach ($fields[$table] as $colSelect) {
$cols .= '\'' . $this->dbi->escapeString($colSelect) . '\',';
$cols .= $this->dbi->quoteString($colSelect, Connection::TYPE_CONTROL) . ',';
}
}

Expand All @@ -407,7 +407,7 @@ public function deleteColumnsFromList(
} else {
$cols = '';
foreach ($fieldSelect as $colSelect) {
$cols .= '\'' . $this->dbi->escapeString($colSelect) . '\',';
$cols .= $this->dbi->quoteString($colSelect, Connection::TYPE_CONTROL) . ',';
}

$cols = trim($cols, ',');
Expand Down Expand Up @@ -435,8 +435,8 @@ public function deleteColumnsFromList(

$this->dbi->selectDb($pmadb, Connection::TYPE_CONTROL);

$query = 'DELETE FROM ' . Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($database) . '\' AND col_name IN (' . $cols . ');';
$query = 'DELETE FROM ' . Util::backquote($centralListTable) . ' WHERE db_name = '
. $this->dbi->quoteString($database, Connection::TYPE_CONTROL) . ' AND col_name IN (' . $cols . ');';

if (! $this->dbi->tryQuery($query, Connection::TYPE_CONTROL)) {
$message = Message::error(__('Could not remove columns!'));
Expand Down Expand Up @@ -476,7 +476,7 @@ public function makeConsistentWithList(
}

$query .= ' MODIFY ' . Util::backquote($column['col_name']) . ' '
. $this->dbi->escapeString($column['col_type']);
. $column['col_type'];
if ($column['col_length']) {
$query .= '(' . $column['col_length'] . ')';
}
Expand All @@ -494,9 +494,12 @@ public function makeConsistentWithList(
$column['col_default'] !== 'CURRENT_TIMESTAMP'
&& $column['col_default'] !== 'current_timestamp()'
) {
$query .= ' DEFAULT \'' . $this->dbi->escapeString((string) $column['col_default']) . '\'';
$query .= ' DEFAULT ' . $this->dbi->quoteString(
(string) $column['col_default'],
Connection::TYPE_CONTROL,
);
} else {
$query .= ' DEFAULT ' . $this->dbi->escapeString($column['col_default']);
$query .= ' DEFAULT ' . $column['col_default'];
}
}

Expand Down Expand Up @@ -543,7 +546,7 @@ public function getFromTable(
$fields = $this->dbi->getColumnNames($db, $table);
$cols = '';
foreach ($fields as $colSelect) {
$cols .= '\'' . $this->dbi->escapeString($colSelect) . '\',';
$cols .= $this->dbi->quoteString($colSelect, Connection::TYPE_CONTROL) . ',';
}

$cols = trim($cols, ',');
Expand Down Expand Up @@ -603,17 +606,16 @@ public function updateOneColumn(
$query = $this->getInsertQuery($colName, $def, $db, $centralTable);
} else {
$query = 'UPDATE ' . Util::backquote($centralTable)
. ' SET col_type = \'' . $this->dbi->escapeString($colType) . '\''
. ', col_name = \'' . $this->dbi->escapeString($colName) . '\''
. ', col_length = \'' . $this->dbi->escapeString($colLength) . '\''
. ' SET col_type = ' . $this->dbi->quoteString($colType, Connection::TYPE_CONTROL)
. ', col_name = ' . $this->dbi->quoteString($colName, Connection::TYPE_CONTROL)
. ', col_length = ' . $this->dbi->quoteString($colLength, Connection::TYPE_CONTROL)
. ', col_isNull = ' . $colIsNull
. ', col_collation = \'' . $this->dbi->escapeString($collation) . '\''
. ', col_collation = ' . $this->dbi->quoteString($collation, Connection::TYPE_CONTROL)
. ', col_extra = \''
. implode(',', [$colExtra, $colAttribute]) . '\''
. ', col_default = \'' . $this->dbi->escapeString($colDefault) . '\''
. ' WHERE db_name = \'' . $this->dbi->escapeString($db) . '\' '
. 'AND col_name = \'' . $this->dbi->escapeString($origColName)
. '\'';
. ', col_default = ' . $this->dbi->quoteString($colDefault, Connection::TYPE_CONTROL)
. ' WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL)
. ' AND col_name = ' . $this->dbi->quoteString($origColName, Connection::TYPE_CONTROL);
}

if (! $this->dbi->tryQuery($query, Connection::TYPE_CONTROL)) {
Expand Down Expand Up @@ -739,18 +741,18 @@ public function getListRaw(string $db, string $table): array
$centralTable = $cfgCentralColumns['table'];
if ($table === '') {
$query = 'SELECT * FROM ' . Util::backquote($centralTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\';';
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL) . ';';
} else {
$this->dbi->selectDb($db);
$columns = $this->dbi->getColumnNames($db, $table);
$cols = '';
foreach ($columns as $colSelect) {
$cols .= '\'' . $this->dbi->escapeString($colSelect) . '\',';
$cols .= $this->dbi->quoteString($colSelect, Connection::TYPE_CONTROL) . ',';
}

$cols = trim($cols, ',');
$query = 'SELECT * FROM ' . Util::backquote($centralTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\'';
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL);
if ($cols) {
$query .= ' AND col_name NOT IN (' . $cols . ')';
}
Expand Down Expand Up @@ -809,12 +811,10 @@ public function getHtmlForEditingPage(array $selectedFld, string $selectedDb): s
$html = '';
$selectedFldSafe = [];
foreach ($selectedFld as $key) {
$selectedFldSafe[] = $this->dbi->escapeString($key);
$selectedFldSafe[] = $this->dbi->quoteString($key, Connection::TYPE_CONTROL);
}

$columnsList = implode("','", $selectedFldSafe);
$columnsList = "'" . $columnsList . "'";
$listDetailCols = $this->findExistingColNames($selectedDb, $columnsList, true);
$listDetailCols = $this->findExistingColNames($selectedDb, implode(',', $selectedFldSafe), true);
$rowNum = 0;
foreach ($listDetailCols as $row) {
$tableHtmlRow = $this->getHtmlForEditTableRow($row, $rowNum);
Expand Down Expand Up @@ -848,7 +848,7 @@ public function getColumnsCount(string $db, int $from = 0, int $num = 25): int
$centralListTable = $cfgCentralColumns['table'];
//get current values of $db from central column list
$query = 'SELECT COUNT(db_name) FROM ' . Util::backquote($centralListTable) . ' '
. 'WHERE db_name = \'' . $this->dbi->escapeString($db) . '\''
. 'WHERE db_name = ' . $this->dbi->quoteString($db, Connection::TYPE_CONTROL)
. ($num === 0 ? '' : 'LIMIT ' . $from . ', ' . $num) . ';';
$result = $this->dbi->fetchResult($query, null, null, Connection::TYPE_CONTROL);

Expand Down
4 changes: 2 additions & 2 deletions phpstan-baseline.neon
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2761,8 +2761,8 @@ parameters:
path: libraries/classes/Database/CentralColumns.php

-
message: "#^Parameter \\#1 \\$str of method PhpMyAdmin\\\\DatabaseInterface\\:\\:escapeString\\(\\) expects string, mixed given\\.$#"
count: 5
message: "#^Parameter \\#1 \\$str of method PhpMyAdmin\\\\DatabaseInterface\\:\\:quoteString\\(\\) expects string, mixed given\\.$#"
count: 4
path: libraries/classes/Database/CentralColumns.php

-
Expand Down
42 changes: 2 additions & 40 deletions psalm-baseline.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4664,41 +4664,6 @@
</PossiblyNullReference>
</file>
<file src="libraries/classes/Database/CentralColumns.php">
<DeprecatedMethod>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
<code>escapeString</code>
</DeprecatedMethod>
<MixedArgument>
<code>$centralListTable</code>
<code>$centralListTable</code>
Expand All @@ -4721,10 +4686,8 @@
<code>$column</code>
<code>$columnDefault[$i]</code>
<code>$columnExtra[$i]</code>
<code><![CDATA[$column['col_default']]]></code>
<code><![CDATA[$column['col_name']]]></code>
<code><![CDATA[$column['col_name']]]></code>
<code><![CDATA[$column['col_type']]]></code>
<code><![CDATA[$def['Type']]]></code>
<code>$default</code>
<code><![CDATA[$extractedColumnSpec['attribute']]]></code>
Expand Down Expand Up @@ -4847,8 +4810,10 @@
<code>$column</code>
<code>$column</code>
<code><![CDATA[$column['col_attribute']]]></code>
<code><![CDATA[$column['col_default']]]></code>
<code><![CDATA[$column['col_extra']]]></code>
<code><![CDATA[$column['col_length']]]></code>
<code><![CDATA[$column['col_type']]]></code>
</MixedOperand>
<MixedReturnStatement>
<code>$cfgCentralColumns</code>
Expand Down Expand Up @@ -5860,9 +5825,6 @@
</MixedReturnTypeCoercion>
</file>
<file src="libraries/classes/Display/Results.php">
<DeprecatedMethod>
<code>escapeString</code>
</DeprecatedMethod>
<InvalidArgument>
<code>$added[$orgFullTableName]</code>
<code>$multiOrderUrlParams</code>
Expand Down
4 changes: 2 additions & 2 deletions test/classes/Database/CentralColumnsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,8 +154,8 @@ protected function setUp(): void
->will(
$this->returnValue(['PMA_table', 'PMA_table1', 'PMA_table2']),
);
$dbi->expects($this->any())->method('escapeString')
->will($this->returnArgument(0));
$dbi->expects($this->any())->method('quoteString')
->will($this->returnCallback(static fn (string $string): string => "'" . $string . "'"));

$this->centralColumns = new CentralColumns($dbi);
}
Expand Down

0 comments on commit e08ba58

Please sign in to comment.