#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks

author: Gábor Hojtsy <gabor@hojtsy.hu> 2008-01-04 09:31:49 +0000
committer: Gábor Hojtsy <gabor@hojtsy.hu> 2008-01-04 09:31:49 +0000
commit: 89be29505b1ed6146aef314d5524f46cc289cee3 (patch)
tree: 6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 /includes
parent: 52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff)
download: brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz
brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2
5 files changed, 16 insertions, 11 deletions
diff --git a/includes/database.inc b/includes/database.inc
index 45a8b592c..25aadf57a 100644
--- a/includes/database.inc
+++ b/includes/database.inc
@@ -350,7 +350,7 @@ function db_rewrite_sql($query, $primary_table = 'n', $primary_field = 'nid',  $
 }
 
 /**
- * Restrict a dynamic tablename to safe characters.
+ * Restrict a dynamic table, column or constraint name to safe characters.
  *
  * Only keeps alphanumeric and underscores.
  */
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index a20486996..01eb22bef 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -346,14 +346,14 @@ function db_unlock_tables() {
  * Check if a table exists.
  */
 function db_table_exists($table) {
-  return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'"));
 }
 
 /**
  * Check if a column exists in the given table.
  */
 function db_column_exists($table, $column) {
-  return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'"));
 }
 
 /**
diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc
index 9cefafc6d..191999145 100644
--- a/includes/database.mysqli.inc
+++ b/includes/database.mysqli.inc
@@ -346,14 +346,14 @@ function db_unlock_tables() {
  * Check if a table exists.
  */
 function db_table_exists($table) {
-  return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'"));
 }
 
 /**
  * Check if a column exists in the given table.
  */
 function db_column_exists($table, $column) {
-  return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'"));
 }
 
 /**
diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc
index 65e049263..f5196fb91 100644
--- a/includes/database.pgsql.inc
+++ b/includes/database.pgsql.inc
@@ -228,7 +228,7 @@ function db_error() {
  *   The name of the autoincrement field.
  */
 function db_last_insert_id($table, $field) {
-  return db_result(db_query("SELECT currval('%s_seq')", db_prefix_tables('{'. $table .'}') .'_'. $field));
+  return db_result(db_query("SELECT CURRVAL('{". db_escape_table($table) ."}_". db_escape_table($field) ."_seq')"));
 }
 
 /**
@@ -384,14 +384,14 @@ function db_unlock_tables() {
  * Check if a table exists.
  */
 function db_table_exists($table) {
-  return db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
+  return (bool) db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
 }
 
 /**
  * Check if a column exists in the given table.
  */
 function db_column_exists($table, $column) {
-  return db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname='%s'", $column));
+  return (bool) db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname = '". db_escape_table($column) ."'"));
 }
 
 /**
diff --git a/includes/tablesort.inc b/includes/tablesort.inc
index d241a0c2d..9c39c5ce8 100644
--- a/includes/tablesort.inc
+++ b/includes/tablesort.inc
@@ -39,9 +39,14 @@ function tablesort_init($header) {
 function tablesort_sql($header, $before = '') {
   $ts = tablesort_init($header);
   if ($ts['sql']) {
-    $sql = db_escape_string($ts['sql']);
-    $sort = drupal_strtoupper(db_escape_string($ts['sort']));
-    return " ORDER BY $before $sql $sort";
+    // Based on code from db_escape_table(), but this can also contain a dot.
+    $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']);
+
+    // Sort order can only be ASC or DESC.
+    $sort = drupal_strtoupper($ts['sort']);
+    $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : '';
+
+    return " ORDER BY $before $field $sort";
   }
 }
author	Gábor Hojtsy <gabor@hojtsy.hu>	2008-01-04 09:31:49 +0000
committer	Gábor Hojtsy <gabor@hojtsy.hu>	2008-01-04 09:31:49 +0000
commit	89be29505b1ed6146aef314d5524f46cc289cee3 (patch)
tree	6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 /includes
parent	52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff)
download	brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2