From 9b84459f095e3bbb8abeb8a24032d3f137b1ec02 Mon Sep 17 00:00:00 2001 From: David Grudl Date: Mon, 15 Sep 2008 23:58:03 +0000 Subject: [PATCH] quoted identifiers security fix --- dibi/drivers/mssql.php | 2 ++ dibi/drivers/mysql.php | 2 ++ dibi/drivers/mysqli.php | 1 + dibi/drivers/odbc.php | 1 + dibi/drivers/oracle.php | 4 +++- dibi/drivers/pdo.php | 3 +++ dibi/drivers/sqlite.php | 2 +- 7 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dibi/drivers/mssql.php b/dibi/drivers/mssql.php index 5ec45bf0..37d8900e 100644 --- a/dibi/drivers/mssql.php +++ b/dibi/drivers/mssql.php @@ -201,6 +201,8 @@ class DibiMsSqlDriver extends DibiObject implements IDibiDriver return "'" . str_replace("'", "''", $value) . "'"; case dibi::IDENTIFIER: + // @see http://msdn.microsoft.com/en-us/library/ms176027.aspx + $value = str_replace(array('[', ']'), array('[[', ']]'), $value); return '[' . str_replace('.', '].[', $value) . ']'; case dibi::FIELD_BOOL: diff --git a/dibi/drivers/mysql.php b/dibi/drivers/mysql.php index ffdfb103..dd121cc6 100644 --- a/dibi/drivers/mysql.php +++ b/dibi/drivers/mysql.php @@ -263,6 +263,8 @@ class DibiMySqlDriver extends DibiObject implements IDibiDriver return "'" . mysql_real_escape_string($value, $this->connection) . "'"; case dibi::IDENTIFIER: + // @see http://dev.mysql.com/doc/refman/5.0/en/identifiers.html + $value = str_replace('`', '``', $value); return '`' . str_replace('.', '`.`', $value) . '`'; case dibi::FIELD_BOOL: diff --git a/dibi/drivers/mysqli.php b/dibi/drivers/mysqli.php index 97684e59..aa9e6588 100644 --- a/dibi/drivers/mysqli.php +++ b/dibi/drivers/mysqli.php @@ -247,6 +247,7 @@ class DibiMySqliDriver extends DibiObject implements IDibiDriver return "'" . mysqli_real_escape_string($this->connection, $value) . "'"; case dibi::IDENTIFIER: + $value = str_replace('`', '``', $value); return '`' . str_replace('.', '`.`', $value) . '`'; case dibi::FIELD_BOOL: diff --git a/dibi/drivers/odbc.php b/dibi/drivers/odbc.php index c669d639..6f63ba0d 100644 --- a/dibi/drivers/odbc.php +++ b/dibi/drivers/odbc.php @@ -215,6 +215,7 @@ class DibiOdbcDriver extends DibiObject implements IDibiDriver return "'" . str_replace("'", "''", $value) . "'"; case dibi::IDENTIFIER: + $value = str_replace(array('[', ']'), array('[[', ']]'), $value); return '[' . str_replace('.', '].[', $value) . ']'; case dibi::FIELD_BOOL: diff --git a/dibi/drivers/oracle.php b/dibi/drivers/oracle.php index f3ef224e..43070e64 100644 --- a/dibi/drivers/oracle.php +++ b/dibi/drivers/oracle.php @@ -215,7 +215,9 @@ class DibiOracleDriver extends DibiObject implements IDibiDriver return "'" . str_replace("'", "''", $value) . "'"; // TODO: not tested case dibi::IDENTIFIER: - return '[' . str_replace('.', '].[', $value) . ']'; // TODO: not tested + // @see http://download.oracle.com/docs/cd/B10500_01/server.920/a96540/sql_elements9a.htm + $value = str_replace('"', '""', $value); + return '"' . str_replace('.', '"."', $value) . '"'; case dibi::FIELD_BOOL: return $value ? 1 : 0; diff --git a/dibi/drivers/pdo.php b/dibi/drivers/pdo.php index 0165901d..c80322dc 100644 --- a/dibi/drivers/pdo.php +++ b/dibi/drivers/pdo.php @@ -242,6 +242,7 @@ class DibiPdoDriver extends DibiObject implements IDibiDriver case dibi::IDENTIFIER: switch ($this->connection->getAttribute(PDO::ATTR_DRIVER_NAME)) { case 'mysql': + $value = str_replace('`', '``', $value); return '`' . str_replace('.', '`.`', $value) . '`'; case 'pgsql': @@ -254,9 +255,11 @@ class DibiPdoDriver extends DibiObject implements IDibiDriver case 'sqlite': case 'sqlite2': + $value = strtr($value, '[]', ' '); case 'odbc': case 'oci': // TODO: not tested case 'mssql': + $value = str_replace(array('[', ']'), array('[[', ']]'), $value); return '[' . str_replace('.', '].[', $value) . ']'; default: diff --git a/dibi/drivers/sqlite.php b/dibi/drivers/sqlite.php index e960a592..a02d6584 100644 --- a/dibi/drivers/sqlite.php +++ b/dibi/drivers/sqlite.php @@ -218,7 +218,7 @@ class DibiSqliteDriver extends DibiObject implements IDibiDriver return "'" . sqlite_escape_string($value) . "'"; case dibi::IDENTIFIER: - return '[' . str_replace('.', '].[', $value) . ']'; + return '[' . str_replace('.', '].[', strtr($value, '[]', ' ')) . ']'; case dibi::FIELD_BOOL: return $value ? 1 : 0;