Skip to content

Commit

Permalink
use rex_sql::escapeLikeWildcards() (#5348)
Browse files Browse the repository at this point in the history 
* use rex_sql::escapeLikeWildcards()

* Update handler.php

* fix

* Update baseline-taint.xml

* Update psalm taint baseline

Co-authored-by: staabm <staabm@users.noreply.github.com>
  • Loading branch information
@staabm
staabm and staabm committed Oct 8, 2022
1 parent 5d4f06b commit af5c597
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 7 deletions.
6 changes: 6 additions & 0 deletions .tools/psalm/baseline-taint.xml
View file
Expand Up @@ -5,6 +5,12 @@
<code>$str</code>
</TaintedHeader>
</file>
<file src="redaxo/src/core/lib/sql/sql.php">
<TaintedSql occurrences="2">
<code>$query</code>
<code>$query</code>
</TaintedSql>
</file>
<file src="redaxo/src/core/lib/util/socket/socket.php">
<TaintedCallable occurrences="1">
<code>$data</code>
Expand Down
5 changes: 2 additions & 3 deletions redaxo/src/addons/metainfo/lib/handler/handler.php
View file
Expand Up @@ -641,8 +641,8 @@ public static function getSaveValue($fieldName, $fieldType, $fieldAttributes)
*/
protected static function getSqlFields($prefix, $filterCondition = '')
{
// replace LIKE wildcards
$prefix = str_replace(['_', '%'], ['\_', '\%'], $prefix);
$sqlFields = rex_sql::factory();
$prefix = $sqlFields->escapeLikeWildcards($prefix);

$qry = 'SELECT
*
Expand All @@ -656,7 +656,6 @@ protected static function getSqlFields($prefix, $filterCondition = '')
ORDER BY
priority';

$sqlFields = rex_sql::factory();
//$sqlFields->setDebug();
$sqlFields->setQuery($qry);

Expand Down
4 changes: 2 additions & 2 deletions redaxo/src/addons/metainfo/lib/table_expander.php
View file
Expand Up @@ -306,8 +306,8 @@ protected function organizePriorities(int $newPrio, int $oldPrio): void
return;
}

// replace LIKE wildcards
$metaPrefix = str_replace(['_', '%'], ['\_', '\%'], $this->metaPrefix);
$sql = rex_sql::factory();
$metaPrefix = $sql->escapeLikeWildcards($this->metaPrefix);

rex_sql_util::organizePriorities(
$this->tableName,
Expand Down
4 changes: 2 additions & 2 deletions redaxo/src/addons/metainfo/pages/field.php
View file
Expand Up @@ -40,8 +40,8 @@

$title = rex_i18n::msg('minfo_field_list_caption');

// replace LIKE wildcards
$likePrefix = str_replace(['_', '%'], ['\_', '\%'], $prefix);
$sql = rex_sql::factory();
$likePrefix = $sql->escapeLikeWildcards($prefix);

$list = rex_list::factory('SELECT id, name FROM ' . rex::getTablePrefix() . 'metainfo_field WHERE `name` LIKE "' . $likePrefix . '%" ORDER BY priority');
$list->addTableAttribute('class', 'table-striped table-hover');
Expand Down

0 comments on commit af5c597

Please sign in to comment.