Skip to content

Commit

Permalink
pedantry - we're quoting not escaping
Browse files Browse the repository at this point in the history
  • Loading branch information
@ghalse
ghalse committed May 10, 2024
1 parent 176bc4f commit f872a43
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions src/Auth/Process/AttributeFromSQL.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,9 @@ class AttributeFromSQL extends Auth\ProcessingFilter
/** @var bool|false Should we ignore expiry */
private bool $ignoreExpiry;

private $sqlEscapeChar = '`';

/** @var string Character used to quote SQL identifiers. Default to " per SQL:1999 */
private $sqlIdentifierQuoteChar = '"';

/**
* Initialize this filter, parse configuration.
*
Expand Down Expand Up @@ -131,11 +132,11 @@ private function connect(): \PDO
switch ($driver) {
case 'mysql':
$db->exec("SET NAMES 'utf8'");
$this->sqlEscapeChar = '`';
$this->sqlIdentifierQuoteChar = '`';
break;
case 'pgsql':
$db->exec("SET NAMES 'UTF8'");
$this->sqlEscapeChar = '"';
$this->sqlIdentifierQuoteChar = '"';
break;
}

Expand Down Expand Up @@ -164,14 +165,14 @@ public function process(array &$state): void
}

$db = $this->connect();
$esc = $this->sqlEscapeChar;
$iq = $this->sqlIdentifierQuoteChar;

try {
$sth = $db->prepare(
'SELECT ' . $esc . 'attribute' . $esc . ',' . $esc . 'value' . $esc . ' FROM ' .
'SELECT ' . $iq . 'attribute' . $iq . ',' . $iq . 'value' . $iq . ' FROM ' .
$this->table .
' WHERE ' . $esc . 'uid' . $esc . '=? AND (' . $esc . 'sp' . $esc . '=\'%\' OR ' . $esc . 'sp' . $esc . '=?)' .
($this->ignoreExpiry ? '' : ' AND ' . $esc . 'expires' . $esc . '>CURRENT_DATE') .
' WHERE ' . $iq . 'uid' . $iq . '=? AND (' . $iq . 'sp' . $iq . '=\'%\' OR ' . $iq . 'sp' . $iq . '=?)' .
($this->ignoreExpiry ? '' : ' AND ' . $iq . 'expires' . $iq . '>CURRENT_DATE') .
';'
);
} catch (\PDOException $e) {
Expand Down

0 comments on commit f872a43

Please sign in to comment.