Fix #yogosha7605
This commit is contained in:
Laurent Destailleur
parent
fd74e33ef1
commit
0021381201
@ -663,9 +663,13 @@ class DoliDBMysqli extends DoliDB
|
||||
|
||||
$like = '';
|
||||
if ($table) {
|
||||
$like = "LIKE '".$table."'";
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table);
|
||||
|
||||
$like = "LIKE '".$this->escape($tmptable)."'";
|
||||
}
|
||||
$sql = "SHOW TABLES FROM ".$database." ".$like.";";
|
||||
$tmpdatabase = preg_replace('/[^a-z0-9\.\-\_]/i', '', $database);
|
||||
|
||||
$sql = "SHOW TABLES FROM ".$tmpdatabase." ".$like.";";
|
||||
//print $sql;
|
||||
$result = $this->query($sql);
|
||||
if ($result) {
|
||||
@ -688,7 +692,9 @@ class DoliDBMysqli extends DoliDB
|
||||
// phpcs:enable
|
||||
$infotables = array();
|
||||
|
||||
$sql = "SHOW FULL COLUMNS FROM ".$table.";";
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table);
|
||||
|
||||
$sql = "SHOW FULL COLUMNS FROM ".$tmptable.";";
|
||||
|
||||
dol_syslog($sql, LOG_DEBUG);
|
||||
$result = $this->query($sql);
|
||||
@ -794,7 +800,9 @@ class DoliDBMysqli extends DoliDB
|
||||
public function DDLDropTable($table)
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "DROP TABLE ".$table;
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table);
|
||||
|
||||
$sql = "DROP TABLE ".$tmptable;
|
||||
|
||||
if (!$this->query($sql)) {
|
||||
return -1;
|
||||
|
||||
@ -937,7 +937,9 @@ class DoliDBPgsql extends DoliDB
|
||||
|
||||
$escapedlike = '';
|
||||
if ($table) {
|
||||
$escapedlike = " AND table_name LIKE '".$this->escape($table)."'";
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table);
|
||||
|
||||
$escapedlike = " AND table_name LIKE '".$this->escape($tmptable)."'";
|
||||
}
|
||||
$result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$escapedlike." ORDER BY table_name");
|
||||
if ($result) {
|
||||
@ -973,8 +975,8 @@ class DoliDBPgsql extends DoliDB
|
||||
$sql .= " '' as \"Extra\",";
|
||||
$sql .= " '' as \"Privileges\"";
|
||||
$sql .= " FROM information_schema.columns infcol";
|
||||
$sql .= " WHERE table_schema='public' ";
|
||||
$sql .= " AND table_name='".$this->escape($table)."'";
|
||||
$sql .= " WHERE table_schema = 'public' ";
|
||||
$sql .= " AND table_name = '".$this->escape($table)."'";
|
||||
$sql .= " ORDER BY ordinal_position;";
|
||||
|
||||
dol_syslog($sql, LOG_DEBUG);
|
||||
@ -1078,7 +1080,9 @@ class DoliDBPgsql extends DoliDB
|
||||
public function DDLDropTable($table)
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "DROP TABLE ".$table;
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table);
|
||||
|
||||
$sql = "DROP TABLE ".$tmptable;
|
||||
|
||||
if (!$this->query($sql)) {
|
||||
return -1;
|
||||
|
||||
@ -875,9 +875,13 @@ class DoliDBSqlite3 extends DoliDB
|
||||
|
||||
$like = '';
|
||||
if ($table) {
|
||||
$like = "LIKE '".$table."'";
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table);
|
||||
|
||||
$like = "LIKE '".$this->escape($tmptable)."'";
|
||||
}
|
||||
$sql = "SHOW TABLES FROM ".$database." ".$like.";";
|
||||
$tmpdatabase = preg_replace('/[^a-z0-9\.\-\_]/i', '', $database);
|
||||
|
||||
$sql = "SHOW TABLES FROM ".$tmpdatabase." ".$like.";";
|
||||
//print $sql;
|
||||
$result = $this->query($sql);
|
||||
if ($result) {
|
||||
@ -901,7 +905,9 @@ class DoliDBSqlite3 extends DoliDB
|
||||
// phpcs:enable
|
||||
$infotables = array();
|
||||
|
||||
$sql = "SHOW FULL COLUMNS FROM ".$table.";";
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table);
|
||||
|
||||
$sql = "SHOW FULL COLUMNS FROM ".$tmptable.";";
|
||||
|
||||
dol_syslog($sql, LOG_DEBUG);
|
||||
$result = $this->query($sql);
|
||||
@ -1002,7 +1008,9 @@ class DoliDBSqlite3 extends DoliDB
|
||||
public function DDLDropTable($table)
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "DROP TABLE ".$table;
|
||||
$tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table);
|
||||
|
||||
$sql = "DROP TABLE ".$tmptable;
|
||||
|
||||
if (!$this->query($sql)) {
|
||||
return -1;
|
||||
|
||||
@ -260,6 +260,7 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
|
||||
);
|
||||
|
||||
$listtables = $db->DDLListTables($conf->db->name, '');
|
||||
|
||||
foreach ($listtables as $val) {
|
||||
// Database prefix filter
|
||||
if (preg_match('/^'.MAIN_DB_PREFIX.'/', $val)) {
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file test/phpunit/SqlTest.php
|
||||
* \file test/phpunit/CodingPhpTest.php
|
||||
* \ingroup test
|
||||
* \brief PHPUnit test
|
||||
* \remarks To run this script as CLI: phpunit filename.php
|
||||
@ -363,7 +363,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
// Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES|LIKE).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) {
|
||||
$ok=false; // This will generate error
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file test/phpunit/SqlTest.php
|
||||
* \file test/phpunit/CodingSqlTest.php
|
||||
* \ingroup test
|
||||
* \brief PHPUnit test
|
||||
* \remarks To run this script as CLI: phpunit filename.php
|
||||
|
||||
Loading…
Reference in New Issue
Block a user