From 142be0e5da9611d82a5242c379aa1d1836dfbe17 Mon Sep 17 00:00:00 2001 From: Phil Date: Mon, 21 May 2012 16:03:04 -0700 Subject: [PATCH] Quote fields when accessed via the PDO adapter. --- lib/Spot/Adapter/Mysql.php | 10 ++++++++++ lib/Spot/Adapter/PDO/Abstract.php | 26 ++++++++++++++++++-------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/lib/Spot/Adapter/Mysql.php b/lib/Spot/Adapter/Mysql.php index 309b4b2..9f602bd 100644 --- a/lib/Spot/Adapter/Mysql.php +++ b/lib/Spot/Adapter/Mysql.php @@ -68,6 +68,16 @@ public function engine($engine = null) } return $this->_engine; } + + /** + * Escape/quote direct user input + * + * @param string $string + */ + public function escapeField($field) + { + return $field == '*' ? $field : '`' . $field . '`'; + } /** diff --git a/lib/Spot/Adapter/PDO/Abstract.php b/lib/Spot/Adapter/PDO/Abstract.php index d1dc04a..a94bf15 100644 --- a/lib/Spot/Adapter/PDO/Abstract.php +++ b/lib/Spot/Adapter/PDO/Abstract.php @@ -50,6 +50,16 @@ public function escape($string) { return $this->connection()->quote($string); } + + /** + * Escape/quote direct user input + * + * @param string $string + */ + public function escapeField($field) + { + return $field; + } /** @@ -237,7 +247,7 @@ public function create($datasource, array $data, array $options = array()) $binds = $this->statementBinds($data); // build the statement $sql = "INSERT INTO " . $datasource . - " (" . implode(', ', array_keys($data)) . ")" . + " (" . implode(', ', array_map(array($this, 'escapeField'), array_keys($data))) . ")" . " VALUES(:" . implode(', :', array_keys($binds)) . ")"; // Add query to log @@ -286,7 +296,7 @@ public function read(\Spot\Query $query, array $options = array()) $order = array(); if($query->order) { foreach($query->order as $oField => $oSort) { - $order[] = $oField . " " . $oSort; + $order[] = $this->escapeField($oField) . " " . $oSort; } } @@ -331,7 +341,7 @@ public function read(\Spot\Query $query, array $options = array()) if($e->getCode() == "42S02") { throw new \Spot\Exception_Datasource_Missing("Table or datasource '" . $query->datasource . "' does not exist"); } - + // Re-throw exception throw $e; } @@ -402,7 +412,7 @@ public function update($datasource, array $data, array $where = array(), array $ $dataFields = array_combine(array_keys($data), array_keys($dataBinds)); // Placeholders and passed data foreach($dataFields as $field => $bindField) { - $placeholders[] = $field . " = :" . $bindField . ""; + $placeholders[] = $this->escapeField($field) . " = :" . $bindField . ""; } $conditions = $this->statementConditions($where, count($dataBinds)); @@ -571,7 +581,7 @@ public function dropDatabase($database) { */ public function statementFields(array $fields = array()) { - return count($fields) > 0 ? implode(', ', $fields) : "*"; + return count($fields) > 0 ? implode(', ', array_map(array($this, 'escapeField'), $fields)) : "*"; } @@ -637,7 +647,7 @@ public function statementConditions(array $conditions = array(), $ci = 0) // MATCH(col) AGAINST(search) case ':fulltext': $colParam = preg_replace('/\W+/', '_', $col) . $ci; - $whereClause = "MATCH(" . $col . ") AGAINST(:" . $colParam . ")"; + $whereClause = "MATCH(" . $this->escapeField($col) . ") AGAINST(:" . $colParam . ")"; break; // ALL - Find ALL values in a set - Kind of like IN(), but seeking *all* the values case ':all': @@ -675,9 +685,9 @@ public function statementConditions(array $conditions = array(), $ci = 0) $valueIn .= $this->escape($val) . ","; } $value = "(" . trim($valueIn, ',') . ")"; - $whereClause = $col . " " . $operator . " " . $value; + $whereClause = $this->escapeField($col) . " " . $operator . " " . $value; } elseif(is_null($value)) { - $whereClause = $col . " " . $operator; + $whereClause = $this->escapeField($col) . " " . $operator; } if(empty($whereClause)) {