Skip to content

Commit

Permalink
Merge pull request #5 from pnomolos/mysql_quoting
Browse files Browse the repository at this point in the history 
Quote fields when accessed via the PDO adapter.
  • Loading branch information
@vlucas
vlucas committed May 22, 2012
2 parents 6cbef40 + 142be0e commit 4668589
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 8 deletions.
10 changes: 10 additions & 0 deletions lib/Spot/Adapter/Mysql.php
View file
Expand Up @@ -68,6 +68,16 @@ public function engine($engine = null)
}
return $this->_engine;
}

/**
* Escape/quote direct user input
*
* @param string $string
*/
public function escapeField($field)
{
return $field == '*' ? $field : '`' . $field . '`';
}


/**
Expand Down
26 changes: 18 additions & 8 deletions lib/Spot/Adapter/PDO/Abstract.php
View file
Expand Up @@ -50,6 +50,16 @@ public function escape($string)
{
return $this->connection()->quote($string);
}

/**
* Escape/quote direct user input
*
* @param string $string
*/
public function escapeField($field)
{
return $field;
}


/**
Expand Down Expand Up @@ -237,7 +247,7 @@ public function create($datasource, array $data, array $options = array())
$binds = $this->statementBinds($data);
// build the statement
$sql = "INSERT INTO " . $datasource .
" (" . implode(', ', array_keys($data)) . ")" .
" (" . implode(', ', array_map(array($this, 'escapeField'), array_keys($data))) . ")" .
" VALUES(:" . implode(', :', array_keys($binds)) . ")";

// Add query to log
Expand Down Expand Up @@ -286,7 +296,7 @@ public function read(\Spot\Query $query, array $options = array())
$order = array();
if($query->order) {
foreach($query->order as $oField => $oSort) {
$order[] = $oField . " " . $oSort;
$order[] = $this->escapeField($oField) . " " . $oSort;
}
}

Expand Down Expand Up @@ -331,7 +341,7 @@ public function read(\Spot\Query $query, array $options = array())
if($e->getCode() == "42S02") {
throw new \Spot\Exception_Datasource_Missing("Table or datasource '" . $query->datasource . "' does not exist");
}

// Re-throw exception
throw $e;
}
Expand Down Expand Up @@ -402,7 +412,7 @@ public function update($datasource, array $data, array $where = array(), array $
$dataFields = array_combine(array_keys($data), array_keys($dataBinds));
// Placeholders and passed data
foreach($dataFields as $field => $bindField) {
$placeholders[] = $field . " = :" . $bindField . "";
$placeholders[] = $this->escapeField($field) . " = :" . $bindField . "";
}

$conditions = $this->statementConditions($where, count($dataBinds));
Expand Down Expand Up @@ -571,7 +581,7 @@ public function dropDatabase($database) {
*/
public function statementFields(array $fields = array())
{
return count($fields) > 0 ? implode(', ', $fields) : "*";
return count($fields) > 0 ? implode(', ', array_map(array($this, 'escapeField'), $fields)) : "*";
}


Expand Down Expand Up @@ -637,7 +647,7 @@ public function statementConditions(array $conditions = array(), $ci = 0)
// MATCH(col) AGAINST(search)
case ':fulltext':
$colParam = preg_replace('/\W+/', '_', $col) . $ci;
$whereClause = "MATCH(" . $col . ") AGAINST(:" . $colParam . ")";
$whereClause = "MATCH(" . $this->escapeField($col) . ") AGAINST(:" . $colParam . ")";
break;
// ALL - Find ALL values in a set - Kind of like IN(), but seeking *all* the values
case ':all':
Expand Down Expand Up @@ -675,9 +685,9 @@ public function statementConditions(array $conditions = array(), $ci = 0)
$valueIn .= $this->escape($val) . ",";
}
$value = "(" . trim($valueIn, ',') . ")";
$whereClause = $col . " " . $operator . " " . $value;
$whereClause = $this->escapeField($col) . " " . $operator . " " . $value;
} elseif(is_null($value)) {
$whereClause = $col . " " . $operator;
$whereClause = $this->escapeField($col) . " " . $operator;
}

if(empty($whereClause)) {
Expand Down

0 comments on commit 4668589

Please sign in to comment.