tweak the sql_like_expression feature a little bit to allow correct escaping

git-svn-id: file:///svn/phpbb/trunk@7789 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/includes/db/dbal.php

@@ -49,6 +49,12 @@ class dbal
 	*/
 	var $sql_layer = '';
 
+	/**
+	* Wildcards for matching any (%) or exactly one (_) character within LIKE expressions
+	*/
+	var $any_char;
+	var $one_char;
+
 	/**
 	* Constructor
 	*/
@@ -63,6 +69,10 @@ class dbal
 		// Fill default sql layer based on the class being called.
 		// This can be changed by the specified layer itself later if needed.
 		$this->sql_layer = substr(get_class($this), 5);
+
+		// Do not change this please! This variable is used to easy the use of it - and is hardcoded.
+		$this->any_char = chr(0) . '%';
+		$this->one_char = chr(0) . '_';
 	}
 
 	/**
@@ -193,17 +203,17 @@ class dbal
 
 	/**
 	* Correctly adjust LIKE expression for special characters
-	* Some DBMS are handling them in a different way we need to take into account
+	* Some DBMS are handling them in a different way
+	*
+	* @param string $expression The expression to use. Every wildcard is escaped, except $this->any_char and $this->one_char
+	* @return string LIKE expression including the keyword!
 	*/
 	function sql_like_expression($expression)
 	{
-		// Standard for most DBMS
-		if (strpos($expression, '_') === false)
-		{
-			return 'LIKE \'' . $this->sql_escape($expression) . '\'';
-		}
+		$expression = str_replace(array('_', '%'), array("\_", "\%"), $expression);
+		$expression = str_replace(array(chr(0) . "\_", chr(0) . "\%"), array('_', '%'), $expression);
 
-		return 'LIKE \'' . $this->sql_escape(str_replace('_', "\_", $expression)) . '\'';
+		return $this->_sql_like_expression('LIKE \'' . $this->sql_escape($expression) . '\'');
 	}
 
 	/**

phpBB/includes/db/firebird.php

@@ -408,6 +408,15 @@ class dbal_firebird extends dbal
 		return str_replace("'", "''", $msg);
 	}
 
+	/**
+	* Build LIKE expression
+	* @access private
+	*/
+	function _sql_like_expression($expression)
+	{
+		return $expression;
+	}
+
 	/**
 	* Build db-specific query data
 	* @access private

phpBB/includes/db/mssql.php

@@ -309,19 +309,12 @@ class dbal_mssql extends dbal
 	}
 
 	/**
-	* Correctly adjust LIKE expression for special characters
-	* MSSQL needs an escape character being defined
+	* Build LIKE expression
+	* @access private
 	*/
-	function sql_like_expression($expression)
+	function _sql_like_expression($expression)
 	{
-		// Standard for most DBMS
-		if (strpos($expression, '_') === false)
-		{
-			return 'LIKE \'' . $this->sql_escape($expression) . '\'';
-		}
-
-		// sql_like_expression is only allowed directly within single quotes (to ease the use of it), therefore the special writing of ESCAPE below
-		return 'LIKE \'' . $this->sql_escape(str_replace('_', "\_", $expression)) . "' ESCAPE '\\'";
+		return $expression . " ESCAPE '\\'";
 	}
 
 	/**

phpBB/includes/db/mssql_odbc.php

@@ -320,19 +320,12 @@ class dbal_mssql_odbc extends dbal
 	}
 
 	/**
-	* Correctly adjust LIKE expression for special characters
-	* MSSQL needs an escape character being defined
+	* Build LIKE expression
+	* @access private
 	*/
-	function sql_like_expression($expression)
+	function _sql_like_expression($expression)
 	{
-		// Standard for most DBMS
-		if (strpos($expression, '_') === false)
-		{
-			return 'LIKE \'' . $this->sql_escape($expression) . '\'';
-		}
-
-		// sql_like_expression is only allowed directly within single quotes (to ease the use of it), therefore the special writing of ESCAPE below
-		return 'LIKE \'' . $this->sql_escape(str_replace('_', "\_", $expression)) . "' ESCAPE '\\'";
+		return $expression . " ESCAPE '\\'";
 	}
 
 	/**

phpBB/includes/db/mysql.php

@@ -276,6 +276,15 @@ class dbal_mysql extends dbal
 		return @mysql_real_escape_string($msg, $this->db_connect_id);
 	}
 
+	/**
+	* Build LIKE expression
+	* @access private
+	*/
+	function _sql_like_expression($expression)
+	{
+		return $expression;
+	}
+
 	/**
 	* Build db-specific query data
 	* @access private

phpBB/includes/db/mysqli.php

@@ -245,6 +245,15 @@ class dbal_mysqli extends dbal
 		return @mysqli_real_escape_string($this->db_connect_id, $msg);
 	}
 
+	/**
+	* Build LIKE expression
+	* @access private
+	*/
+	function _sql_like_expression($expression)
+	{
+		return $expression;
+	}
+
 	/**
 	* Build db-specific query data
 	* @access private

phpBB/includes/db/oracle.php

@@ -533,6 +533,15 @@ class dbal_oracle extends dbal
 		return str_replace("'", "''", $msg);
 	}
 
+	/**
+	* Build LIKE expression
+	* @access private
+	*/
+	function _sql_like_expression($expression)
+	{
+		return $expression . " ESCAPE '\\'";
+	}
+
 	function _sql_custom_build($stage, $data)
 	{
 		return $data;

phpBB/includes/db/postgres.php

@@ -345,6 +345,15 @@ class dbal_postgres extends dbal
 		return @pg_escape_string($msg);
 	}
 
+	/**
+	* Build LIKE expression
+	* @access private
+	*/
+	function _sql_like_expression($expression)
+	{
+		return $expression;
+	}
+
 	/**
 	* return sql error array
 	* @access private

phpBB/includes/db/sqlite.php

@@ -247,12 +247,14 @@ class dbal_sqlite extends dbal
 	*/
 	function sql_like_expression($expression)
 	{
-		if (strpos($expression, '_') === false)
-		{
-			return "LIKE '" . $this->sql_escape($expression) . "'";
-		}
+		// Unlike LIKE, GLOB is case sensitive (unfortunatly). SQLite users need to live with it!
+		// We only catch * and ? here, not the character map possible on file globbing.
+		$expression = str_replace(array(chr(0) . '_', chr(0) . '%'), array(chr(0) . '?', chr(0) . '*'), $expression);
 
-		return "GLOB '" . $this->sql_escape(str_replace('%', '*', $expression)) . "'";
+		$expression = str_replace(array('?', '*'), array("\?", "\*"), $expression);
+		$expression = str_replace(array(chr(0) . "\?", chr(0) . "\*"), array('?', '*'), $expression);
+
+		return 'GLOB \'' . $this->sql_escape($expression) . '\'';
 	}
 
 	/**