Menu
▾
▴
[SM-CVS] SF.net SVN: squirrelmail:[14953] branches/SM-1_4-STABLE/squirrelmail/ functions/db_prefs.php
|
From: <pdo...@us...> - 2022-05-22 18:40:07
|
Revision: 14953
http://sourceforge.net/p/squirrelmail/code/14953
Author: pdontthink
Date: 2022-05-22 18:40:05 +0000 (Sun, 22 May 2022)
Log Message:
-----------
Implement SQL identifier quoting in all cases (alleviates issue double-quoting user field under PGSQL, #177)
Modified Paths:
--------------
branches/SM-1_4-STABLE/squirrelmail/functions/db_prefs.php
Modified: branches/SM-1_4-STABLE/squirrelmail/functions/db_prefs.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/db_prefs.php 2022-05-22 18:03:08 UTC (rev 14952)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/db_prefs.php 2022-05-22 18:40:05 UTC (rev 14953)
@@ -35,17 +35,17 @@
* internal database information from being
* exposed. This should be enabled only for
* debugging purposes.
- * string $pdo_identifier_quote_char By default, SquirrelMail will quote
- * table and field names in database
- * queries with what it thinks is the
- * appropriate quote character for the
- * database type being used (backtick
- * for MySQL (and thus MariaDB), double
- * quotes for all others), but you can
- * override the character used by
- * putting it here, or tell SquirrelMail
- * NOT to quote identifiers by setting
- * this to "none"
+ * string $identifier_quote_char By default, SquirrelMail will quote
+ * table and field names in database
+ * queries with what it thinks is the
+ * appropriate quote character for the
+ * database type being used (backtick
+ * for MySQL (and thus MariaDB), double
+ * quotes for all others), but you can
+ * override the character used by
+ * putting it here, or tell SquirrelMail
+ * NOT to quote identifiers by setting
+ * this to "none"
*
* @copyright 1999-2022 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
@@ -170,7 +170,7 @@
}
function open() {
- global $prefs_dsn, $prefs_table, $use_pdo, $pdo_identifier_quote_char;
+ global $prefs_dsn, $prefs_table, $use_pdo, $identifier_quote_char;
global $prefs_user_field, $prefs_key_field, $prefs_val_field;
if(isset($this->dbh)) {
@@ -183,16 +183,16 @@
$this->db_type = SMDB_PGSQL;
}
- // figure out identifier quoting (only used for PDO, though we could change that)
- if (empty($pdo_identifier_quote_char)) {
+ // figure out identifier quoting
+ if (empty($identifier_quote_char)) {
if ($this->db_type == SMDB_MYSQL)
$this->identifier_quote_char = '`';
else
$this->identifier_quote_char = '"';
- } else if ($pdo_identifier_quote_char === 'none')
+ } else if ($identifier_quote_char === 'none')
$this->identifier_quote_char = '';
else
- $this->identifier_quote_char = $pdo_identifier_quote_char;
+ $this->identifier_quote_char = $identifier_quote_char;
if (!empty($prefs_table)) {
$this->table = $prefs_table;
@@ -201,13 +201,6 @@
$this->user_field = $prefs_user_field;
}
- // the default user field is "user", which in PostgreSQL
- // is an identifier and causes errors if not escaped
- //
- if ($this->db_type == SMDB_PGSQL) {
- $this->user_field = '"' . $this->user_field . '"';
- }
-
if (!empty($prefs_key_field)) {
$this->key_field = $prefs_key_field;
}
@@ -342,11 +335,17 @@
$this->failQuery();
}
} else {
- $query = sprintf("DELETE FROM %s WHERE %s='%s' AND %s='%s'",
+ $query = sprintf("DELETE FROM %s%s%s WHERE %s%s%s='%s' AND %s%s%s='%s'",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($key));
$res = $this->dbh->simpleQuery($query);
@@ -382,12 +381,20 @@
$this->failQuery();
}
} else {
- $query = sprintf("REPLACE INTO %s (%s, %s, %s) ".
+ $query = sprintf("REPLACE INTO %s%s%s (%s%s%s, %s%s%s, %s%s%s) ".
"VALUES('%s','%s','%s')",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->val_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
$this->dbh->quoteString($key),
$this->dbh->quoteString($value));
@@ -445,11 +452,17 @@
}
} else {
$this->dbh->simpleQuery("BEGIN TRANSACTION");
- $query = sprintf("DELETE FROM %s WHERE %s='%s' AND %s='%s'",
+ $query = sprintf("DELETE FROM %s%s%s WHERE %s%s%s='%s' AND %s%s%s='%s'",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($key));
$res = $this->dbh->simpleQuery($query);
if (DB::isError($res)) {
@@ -456,11 +469,19 @@
$this->dbh->simpleQuery("ROLLBACK TRANSACTION");
$this->failQuery($res);
}
- $query = sprintf("INSERT INTO %s (%s, %s, %s) VALUES ('%s', '%s', '%s')",
+ $query = sprintf("INSERT INTO %s%s%s (%s%s%s, %s%s%s, %s%s%s) VALUES ('%s', '%s', '%s')",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->val_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
$this->dbh->quoteString($key),
$this->dbh->quoteString($value));
@@ -502,21 +523,35 @@
$this->failQuery();
}
} else {
- $query = sprintf("DELETE FROM %s WHERE %s='%s' AND %s='%s'",
+ $query = sprintf("DELETE FROM %s%s%s WHERE %s%s%s='%s' AND %s%s%s='%s'",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($key));
$res = $this->dbh->simpleQuery($query);
if (DB::isError($res)) {
$this->failQuery($res);
}
- $query = sprintf("INSERT INTO %s (%s, %s, %s) VALUES ('%s', '%s', '%s')",
+ $query = sprintf("INSERT INTO %s%s%s (%s%s%s, %s%s%s, %s%s%s) VALUES ('%s', '%s', '%s')",
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->val_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user),
$this->dbh->quoteString($key),
$this->dbh->quoteString($value));
@@ -558,12 +593,20 @@
$prefs_cache[$row['prefkey']] = $row['prefval'];
}
} else {
- $query = sprintf("SELECT %s as prefkey, %s as prefval FROM %s ".
- "WHERE %s = '%s'",
+ $query = sprintf("SELECT %s%s%s as prefkey, %s%s%s as prefval FROM %s%s%s ".
+ "WHERE %s%s%s = '%s'",
+ $this->identifier_quote_char,
$this->key_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->val_field,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->table,
+ $this->identifier_quote_char,
+ $this->identifier_quote_char,
$this->user_field,
+ $this->identifier_quote_char,
$this->dbh->quoteString($user));
$res = $this->dbh->query($query);
if (DB::isError($res)) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
