Addshore has uploaded a new change for review.
https://gerrit.wikimedia.org/r/87561
Change subject: Add further escaping to mysql and sqlite classes
......................................................................
Add further escaping to mysql and sqlite classes
Change-Id: Id0ca317a142f5f4755115a8de12ca150b3934377
---
M src/MySQL/MySQLFieldSqlBuilder.php
M src/MySQL/MySQLSchemaSqlBuilder.php
M src/MySQL/MySQLTableSqlBuilder.php
M src/SQLite/SQLiteFieldSqlBuilder.php
M src/SQLite/SQLiteSchemaSqlBuilder.php
M src/SQLite/SQLiteTableSqlBuilder.php
6 files changed, 23 insertions(+), 19 deletions(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/WikibaseDatabase
refs/changes/61/87561/1
diff --git a/src/MySQL/MySQLFieldSqlBuilder.php
b/src/MySQL/MySQLFieldSqlBuilder.php
index bcfcfd5..f58bc37 100644
--- a/src/MySQL/MySQLFieldSqlBuilder.php
+++ b/src/MySQL/MySQLFieldSqlBuilder.php
@@ -24,7 +24,7 @@
}
public function getFieldSQL( FieldDefinition $field ){
- $sql = $field->getName() . ' ';
+ $sql = $this->escaper->getEscapedValue( $field->getName() ) .
' ';
$sql .= $this->getFieldType( $field->getType() );
diff --git a/src/MySQL/MySQLSchemaSqlBuilder.php
b/src/MySQL/MySQLSchemaSqlBuilder.php
index 7b96c3a..05cce16 100644
--- a/src/MySQL/MySQLSchemaSqlBuilder.php
+++ b/src/MySQL/MySQLSchemaSqlBuilder.php
@@ -17,11 +17,13 @@
*/
class MySQLSchemaSqlBuilder implements SchemaModificationSqlBuilder {
+ protected $escaper;
protected $fieldSqlBuilder;
protected $tableNameFormatter;
- public function __construct( Escaper $fieldValueEscaper,
TableNameFormatter $tableNameFormatter ) {
- $this->fieldSqlBuilder = new MySQLFieldSqlBuilder(
$fieldValueEscaper );
+ public function __construct( Escaper $escaper, TableNameFormatter
$tableNameFormatter ) {
+ $this->escaper = $escaper;
+ $this->fieldSqlBuilder = new MySQLFieldSqlBuilder( $escaper );
$this->tableNameFormatter = $tableNameFormatter;
}
@@ -33,7 +35,7 @@
*/
public function getRemoveFieldSql( $tableName, $fieldName ) {
$tableName = $this->tableNameFormatter->formatTableName(
$tableName );
- //todo escape $fieldName
+ $fieldName = $this->escaper->getEscapedValue( $fieldName );
return "ALTER TABLE {$tableName} DROP {$fieldName}";
}
diff --git a/src/MySQL/MySQLTableSqlBuilder.php
b/src/MySQL/MySQLTableSqlBuilder.php
index c1ae2ab..0428828 100644
--- a/src/MySQL/MySQLTableSqlBuilder.php
+++ b/src/MySQL/MySQLTableSqlBuilder.php
@@ -27,12 +27,12 @@
/**
* @param string $dbName
- * @param Escaper $fieldValueEscaper
+ * @param Escaper $escaper
* @param TableNameFormatter $tableNameFormatter
*/
- public function __construct( $dbName, Escaper $fieldValueEscaper,
TableNameFormatter $tableNameFormatter ) {
+ public function __construct( $dbName, Escaper $escaper,
TableNameFormatter $tableNameFormatter ) {
$this->dbName = $dbName;
- $this->escaper = $fieldValueEscaper;
+ $this->escaper = $escaper;
$this->tableNameFormatter = $tableNameFormatter;
$this->fieldSqlBuilder = new MySQLFieldSqlBuilder(
$this->escaper );
}
@@ -80,12 +80,12 @@
$sql = $this->getIndexType( $index->getType() );
if( $index->getType() !== IndexDefinition::TYPE_PRIMARY ){
- $sql .= ' `'.$index->getName().'`';
+ $sql .= ' `' . $this->escaper->getEscapedValue(
$index->getName() ) . '`';
}
$columnNames = array();
foreach( $index->getColumns() as $columnName => $intSize ){
- $columnNames[] = $columnName;
+ $columnNames[] = $this->escaper->getEscapedValue(
$columnName );
}
$sql .= ' (`'.implode( '`,`', $columnNames ).'`)';
diff --git a/src/SQLite/SQLiteFieldSqlBuilder.php
b/src/SQLite/SQLiteFieldSqlBuilder.php
index 13eba45..a8ab1ee 100644
--- a/src/SQLite/SQLiteFieldSqlBuilder.php
+++ b/src/SQLite/SQLiteFieldSqlBuilder.php
@@ -24,7 +24,7 @@
}
public function getFieldSQL( FieldDefinition $field ){
- $sql = $field->getName() . ' ';
+ $sql = $this->escaper->getEscapedValue( $field->getName() ) . '
';
$sql .= $this->getFieldType( $field->getType() );
diff --git a/src/SQLite/SQLiteSchemaSqlBuilder.php
b/src/SQLite/SQLiteSchemaSqlBuilder.php
index 942548b..cea9209 100644
--- a/src/SQLite/SQLiteSchemaSqlBuilder.php
+++ b/src/SQLite/SQLiteSchemaSqlBuilder.php
@@ -20,14 +20,16 @@
*/
class SQLiteSchemaSqlBuilder implements SchemaModificationSqlBuilder {
+ protected $escaper;
protected $fieldSqlBuilder;
protected $tableNameFormatter;
- public function __construct( Escaper $fieldValueEscaper,
TableNameFormatter $tableNameFormatter, TableDefinitionReader $definitionReader
) {
- $this->fieldSqlBuilder = new SQLiteFieldSqlBuilder(
$fieldValueEscaper );
+ public function __construct( Escaper $escaper, TableNameFormatter
$tableNameFormatter, TableDefinitionReader $definitionReader ) {
+ $this->escaper = $escaper;
+ $this->fieldSqlBuilder = new SQLiteFieldSqlBuilder( $escaper );
$this->tableNameFormatter = $tableNameFormatter;
$this->tableDefinitionReader = $definitionReader;
- $this->tableSqlBuilder = new SQLiteTableSqlBuilder(
$fieldValueEscaper, $tableNameFormatter );
+ $this->tableSqlBuilder = new SQLiteTableSqlBuilder( $escaper,
$tableNameFormatter );
}
/**
@@ -60,7 +62,7 @@
private function getFieldsSql( $fields ){
$fieldNames = array();
foreach( $fields as $field ){
- $fieldNames[] = $field->getName();
+ $fieldNames[] = $this->escaper->getEscapedValue(
$field->getName() );
}
return implode( ', ', $fieldNames );
}
diff --git a/src/SQLite/SQLiteTableSqlBuilder.php
b/src/SQLite/SQLiteTableSqlBuilder.php
index c190b1b..19889d5 100644
--- a/src/SQLite/SQLiteTableSqlBuilder.php
+++ b/src/SQLite/SQLiteTableSqlBuilder.php
@@ -25,11 +25,11 @@
protected $fieldSqlBuilder;
/**
- * @param Escaper $fieldValueEscaper
+ * @param Escaper $escaper
* @param TableNameFormatter $tableNameFormatter
*/
- public function __construct( Escaper $fieldValueEscaper,
TableNameFormatter $tableNameFormatter ) {
- $this->escaper = $fieldValueEscaper;
+ public function __construct( Escaper $escaper, TableNameFormatter
$tableNameFormatter ) {
+ $this->escaper = $escaper;
$this->tableNameFormatter = $tableNameFormatter;
$this->fieldSqlBuilder = new SQLiteFieldSqlBuilder(
$this->escaper );
}
@@ -81,12 +81,12 @@
protected function getIndexSQL( IndexDefinition $index, TableDefinition
$table ) {
$sql = 'CREATE ';
$sql .= $this->getIndexType( $index->getType() ) . ' ';
- $sql .= $index->getName() . ' ';
+ $sql .= $this->escaper->getEscapedValue( $index->getName() ) .
' ';
$sql .= 'ON ' . $this->formatTableName( $table->getName() );
$columnNames = array();
foreach( $index->getColumns() as $columnName => $intSize ){
- $columnNames[] = $columnName;
+ $columnNames[] = $this->escaper->getEscapedValue(
$columnName );
}
$sql .= ' ('.implode( ',', $columnNames ).');';
--
To view, visit https://gerrit.wikimedia.org/r/87561
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id0ca317a142f5f4755115a8de12ca150b3934377
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/WikibaseDatabase
Gerrit-Branch: master
Gerrit-Owner: Addshore <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
