CoreLibs/development
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bug fix for DB\IO params detection

Browse Source 
Param detection found too many params, for example '$1'.
Fixed the regex to only allow params that are no preceeded by '
And must start with space/tab, =, (
This commit is contained in:
Clemens Schwaighofer
2023-04-07 14:34:13 +09:00
parent b4b33d6873
commit 8c2ebcfd31
2 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
www/admin/class_test.db.php
View File

@@ -212,11 +212,11 @@ $query = <<<EOM
INSERT INTO INSERT INTO
test_foo test_foo
( (
test test, string_a
) VALUES ( ) VALUES (
$1 $1, '$2'
) )
RETURNING test RETURNING test, string_a
EOM; EOM;
$db->dbPrepare("ins_test_foo_eom", $query); $db->dbPrepare("ins_test_foo_eom", $query);
$status = $db->dbExecute("ins_test_foo_eom", ['EOM BAR TEST ' . time()]); $status = $db->dbExecute("ins_test_foo_eom", ['EOM BAR TEST ' . time()]);

16
www/lib/CoreLibs/DB/IO.php
View File

@@ -279,8 +279,20 @@ class IO
public const NO_CACHE = 3; public const NO_CACHE = 3;
/** @var string default hash type */ /** @var string default hash type */
public const ERROR_HASH_TYPE = 'adler32'; public const ERROR_HASH_TYPE = 'adler32';
/**
* @var string regex for params: only stand alone $number allowed
* never allowed to start with '
* must be after space/tab, =, (
*/
public const REGEX_PARAMS = '/[^\'][\s(=](\$[0-9]{1,})/';
/** @var string regex to get returning with matches at position 1 */ /** @var string regex to get returning with matches at position 1 */
public const REGEX_RETURNING = '/\s+returning\s+(.+\s*(?:.+\s*)+);?$/i'; public const REGEX_RETURNING = '/\s+returning\s+(.+\s*(?:.+\s*)+);?$/i';
// REGEX_SELECT
// REGEX_UPDATE
// REGEX INSERT
// REGEX_INSERT_UPDATE_DELETE
// REGEX_FROM_TABLE
// REGEX_INSERT_UPDATE_DELETE_TABLE
// recommend to set private/protected and only allow setting via method // recommend to set private/protected and only allow setting via method
// can bet set from outside // can bet set from outside
@@ -1017,7 +1029,7 @@ class IO
{ {
// search for $1, $2, in the query and push it into the control array // search for $1, $2, in the query and push it into the control array
// skip counts for same eg $1, $1, $2 = 2 and not 3 // skip counts for same eg $1, $1, $2 = 2 and not 3
preg_match_all('/(\$[0-9]{1,})/', $query, $match); preg_match_all(self::REGEX_PARAMS, $query, $match);
$placeholder_count = count(array_unique($match[1])); $placeholder_count = count(array_unique($match[1]));
if ($params_count != $placeholder_count) { if ($params_count != $placeholder_count) {
$this->__dbError( $this->__dbError(
@@ -2588,7 +2600,7 @@ class IO
$match = []; $match = [];
// search for $1, $2, in the query and push it into the control array // search for $1, $2, in the query and push it into the control array
// skip counts for same eg $1, $1, $2 = 2 and not 3 // skip counts for same eg $1, $1, $2 = 2 and not 3
preg_match_all('/(\$[0-9]{1,})/', $query, $match); preg_match_all(self::REGEX_PARAMS, $query, $match);
$this->prepare_cursor[$stm_name]['count'] = count(array_unique($match[1])); $this->prepare_cursor[$stm_name]['count'] = count(array_unique($match[1]));
$this->prepare_cursor[$stm_name]['query'] = $query; $this->prepare_cursor[$stm_name]['query'] = $query;
$result = $this->db_functions->__dbPrepare($stm_name, $query); $result = $this->db_functions->__dbPrepare($stm_name, $query);