quoted identifiers security fix

2025-08-11 16:44:30 +02:00 · 2008-09-15 23:58:03 +00:00
parent 8c4211d5be
commit 9b84459f09
7 changed files with 13 additions and 2 deletions
--- a/dibi/drivers/mssql.php
+++ b/dibi/drivers/mssql.php
@@ -201,6 +201,8 @@ class DibiMsSqlDriver extends DibiObject implements IDibiDriver
 			return "'" . str_replace("'", "''", $value) . "'";

 		case dibi::IDENTIFIER:
+			// @see http://msdn.microsoft.com/en-us/library/ms176027.aspx
+			$value = str_replace(array('[', ']'), array('[[', ']]'), $value);
 			return '[' . str_replace('.', '].[', $value) . ']';

 		case dibi::FIELD_BOOL: