From 00213812010a43454ab7a61558f67009cdd638da Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 11 Nov 2021 17:08:35 +0100 Subject: [PATCH] Fix #yogosha7605 --- htdocs/core/db/mysqli.class.php | 16 ++++++++++++---- htdocs/core/db/pgsql.class.php | 12 ++++++++---- htdocs/core/db/sqlite3.class.php | 16 ++++++++++++---- htdocs/install/upgrade.php | 1 + test/phpunit/CodingPhpTest.php | 4 ++-- test/phpunit/CodingSqlTest.php | 2 +- 6 files changed, 36 insertions(+), 15 deletions(-) diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index 0db4e16a897..b64ec0708e2 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -663,9 +663,13 @@ class DoliDBMysqli extends DoliDB $like = ''; if ($table) { - $like = "LIKE '".$table."'"; + $tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table); + + $like = "LIKE '".$this->escape($tmptable)."'"; } - $sql = "SHOW TABLES FROM ".$database." ".$like.";"; + $tmpdatabase = preg_replace('/[^a-z0-9\.\-\_]/i', '', $database); + + $sql = "SHOW TABLES FROM ".$tmpdatabase." ".$like.";"; //print $sql; $result = $this->query($sql); if ($result) { @@ -688,7 +692,9 @@ class DoliDBMysqli extends DoliDB // phpcs:enable $infotables = array(); - $sql = "SHOW FULL COLUMNS FROM ".$table.";"; + $tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table); + + $sql = "SHOW FULL COLUMNS FROM ".$tmptable.";"; dol_syslog($sql, LOG_DEBUG); $result = $this->query($sql); @@ -794,7 +800,9 @@ class DoliDBMysqli extends DoliDB public function DDLDropTable($table) { // phpcs:enable - $sql = "DROP TABLE ".$table; + $tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table); + + $sql = "DROP TABLE ".$tmptable; if (!$this->query($sql)) { return -1; diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 5997349d0c5..ac6b8de33f3 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -937,7 +937,9 @@ class DoliDBPgsql extends DoliDB $escapedlike = ''; if ($table) { - $escapedlike = " AND table_name LIKE '".$this->escape($table)."'"; + $tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table); + + $escapedlike = " AND table_name LIKE '".$this->escape($tmptable)."'"; } $result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$escapedlike." ORDER BY table_name"); if ($result) { @@ -973,8 +975,8 @@ class DoliDBPgsql extends DoliDB $sql .= " '' as \"Extra\","; $sql .= " '' as \"Privileges\""; $sql .= " FROM information_schema.columns infcol"; - $sql .= " WHERE table_schema='public' "; - $sql .= " AND table_name='".$this->escape($table)."'"; + $sql .= " WHERE table_schema = 'public' "; + $sql .= " AND table_name = '".$this->escape($table)."'"; $sql .= " ORDER BY ordinal_position;"; dol_syslog($sql, LOG_DEBUG); @@ -1078,7 +1080,9 @@ class DoliDBPgsql extends DoliDB public function DDLDropTable($table) { // phpcs:enable - $sql = "DROP TABLE ".$table; + $tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table); + + $sql = "DROP TABLE ".$tmptable; if (!$this->query($sql)) { return -1; diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index c03d2a5ee04..bc01ee7a535 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -875,9 +875,13 @@ class DoliDBSqlite3 extends DoliDB $like = ''; if ($table) { - $like = "LIKE '".$table."'"; + $tmptable = preg_replace('/[^a-z0-9\.\-\_%]/i', '', $table); + + $like = "LIKE '".$this->escape($tmptable)."'"; } - $sql = "SHOW TABLES FROM ".$database." ".$like.";"; + $tmpdatabase = preg_replace('/[^a-z0-9\.\-\_]/i', '', $database); + + $sql = "SHOW TABLES FROM ".$tmpdatabase." ".$like.";"; //print $sql; $result = $this->query($sql); if ($result) { @@ -901,7 +905,9 @@ class DoliDBSqlite3 extends DoliDB // phpcs:enable $infotables = array(); - $sql = "SHOW FULL COLUMNS FROM ".$table.";"; + $tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table); + + $sql = "SHOW FULL COLUMNS FROM ".$tmptable.";"; dol_syslog($sql, LOG_DEBUG); $result = $this->query($sql); @@ -1002,7 +1008,9 @@ class DoliDBSqlite3 extends DoliDB public function DDLDropTable($table) { // phpcs:enable - $sql = "DROP TABLE ".$table; + $tmptable = preg_replace('/[^a-z0-9\.\-\_]/i', '', $table); + + $sql = "DROP TABLE ".$tmptable; if (!$this->query($sql)) { return -1; diff --git a/htdocs/install/upgrade.php b/htdocs/install/upgrade.php index b36914ad36b..c03678151fc 100644 --- a/htdocs/install/upgrade.php +++ b/htdocs/install/upgrade.php @@ -260,6 +260,7 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ ); $listtables = $db->DDLListTables($conf->db->name, ''); + foreach ($listtables as $val) { // Database prefix filter if (preg_match('/^'.MAIN_DB_PREFIX.'/', $val)) { diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 2681164c857..383c37e95e5 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -17,7 +17,7 @@ */ /** - * \file test/phpunit/SqlTest.php + * \file test/phpunit/CodingPhpTest.php * \ingroup test * \brief PHPUnit test * \remarks To run this script as CLI: phpunit filename.php @@ -363,7 +363,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request. $ok=true; $matches=array(); - preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/(sql|SET|WHERE|INSERT|VALUES|LIKE).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) { $ok=false; // This will generate error diff --git a/test/phpunit/CodingSqlTest.php b/test/phpunit/CodingSqlTest.php index 9217ebbe7f6..f79205a0443 100644 --- a/test/phpunit/CodingSqlTest.php +++ b/test/phpunit/CodingSqlTest.php @@ -17,7 +17,7 @@ */ /** - * \file test/phpunit/SqlTest.php + * \file test/phpunit/CodingSqlTest.php * \ingroup test * \brief PHPUnit test * \remarks To run this script as CLI: phpunit filename.php