quoted identifiers security fix

2025-08-10 08:04:32 +02:00 · 2008-09-15 23:58:03 +00:00
parent 8c4211d5be
commit 9b84459f09
7 changed files with 13 additions and 2 deletions
--- a/dibi/drivers/mssql.php
+++ b/dibi/drivers/mssql.php
@@ -201,6 +201,8 @@ class DibiMsSqlDriver extends DibiObject implements IDibiDriver
 			return "'" . str_replace("'", "''", $value) . "'";

 		case dibi::IDENTIFIER:
+			// @see http://msdn.microsoft.com/en-us/library/ms176027.aspx
+			$value = str_replace(array('[', ']'), array('[[', ']]'), $value);
 			return '[' . str_replace('.', '].[', $value) . ']';

 		case dibi::FIELD_BOOL:
--- a/dibi/drivers/mysql.php
+++ b/dibi/drivers/mysql.php
@@ -263,6 +263,8 @@ class DibiMySqlDriver extends DibiObject implements IDibiDriver
 			return "'" . mysql_real_escape_string($value, $this->connection) . "'";

 		case dibi::IDENTIFIER:
+			// @see http://dev.mysql.com/doc/refman/5.0/en/identifiers.html
+			$value = str_replace('`', '``', $value);
 			return '`' . str_replace('.', '`.`', $value) . '`';

 		case dibi::FIELD_BOOL:
--- a/dibi/drivers/mysqli.php
+++ b/dibi/drivers/mysqli.php
@@ -247,6 +247,7 @@ class DibiMySqliDriver extends DibiObject implements IDibiDriver
 			return "'" . mysqli_real_escape_string($this->connection, $value) . "'";

 		case dibi::IDENTIFIER:
+			$value = str_replace('`', '``', $value);
 			return '`' . str_replace('.', '`.`', $value) . '`';

 		case dibi::FIELD_BOOL:
--- a/dibi/drivers/odbc.php
+++ b/dibi/drivers/odbc.php
@@ -215,6 +215,7 @@ class DibiOdbcDriver extends DibiObject implements IDibiDriver
 			return "'" . str_replace("'", "''", $value) . "'";

 		case dibi::IDENTIFIER:
+			$value = str_replace(array('[', ']'), array('[[', ']]'), $value);
 			return '[' . str_replace('.', '].[', $value) . ']';

 		case dibi::FIELD_BOOL:
--- a/dibi/drivers/oracle.php
+++ b/dibi/drivers/oracle.php
@@ -215,7 +215,9 @@ class DibiOracleDriver extends DibiObject implements IDibiDriver
 			return "'" . str_replace("'", "''", $value) . "'"; // TODO: not tested

 		case dibi::IDENTIFIER:
-			return '[' . str_replace('.', '].[', $value) . ']';  // TODO: not tested
+			// @see http://download.oracle.com/docs/cd/B10500_01/server.920/a96540/sql_elements9a.htm
+			$value = str_replace('"', '""', $value);
+			return '"' . str_replace('.', '"."', $value) . '"';

 		case dibi::FIELD_BOOL:
 			return $value ? 1 : 0;
--- a/dibi/drivers/pdo.php
+++ b/dibi/drivers/pdo.php
@@ -242,6 +242,7 @@ class DibiPdoDriver extends DibiObject implements IDibiDriver
 		case dibi::IDENTIFIER:
 			switch ($this->connection->getAttribute(PDO::ATTR_DRIVER_NAME)) {
 			case 'mysql':
+				$value = str_replace('`', '``', $value);
 				return '`' . str_replace('.', '`.`', $value) . '`';

 			case 'pgsql':
@@ -254,9 +255,11 @@ class DibiPdoDriver extends DibiObject implements IDibiDriver

 			case 'sqlite':
 			case 'sqlite2':
+				$value = strtr($value, '[]', '  ');
 			case 'odbc':
 			case 'oci': // TODO: not tested
 			case 'mssql':
+				$value = str_replace(array('[', ']'), array('[[', ']]'), $value);
 				return '[' . str_replace('.', '].[', $value) . ']';

 			default:
--- a/dibi/drivers/sqlite.php
+++ b/dibi/drivers/sqlite.php
@@ -218,7 +218,7 @@ class DibiSqliteDriver extends DibiObject implements IDibiDriver
 			return "'" . sqlite_escape_string($value) . "'";

 		case dibi::IDENTIFIER:
-			return '[' . str_replace('.', '].[', $value) . ']';
+			return '[' . str_replace('.', '].[', strtr($value, '[]', '  ')) . ']';

 		case dibi::FIELD_BOOL:
 			return $value ? 1 : 0;