Merge pull request SimpleMachines#8992 from Sesquipedalian/2.1/query_clean

[2.1] Simplifies code in db query check

Author: Sesquipedalian

Sources/Subs-Db-mysql.php

@@ -368,14 +368,12 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection
 
 	// Comments that are allowed in a query are preg_removed.
 	static $allowed_comments_from = array(
-		'~(?<![\'\\\\])\'\X*?(?<![\'\\\\])\'~',
 		'~\s+~s',
 		'~/\*!40001 SQL_NO_CACHE \*/~',
 		'~/\*!40000 USE INDEX \([A-Za-z\_]+?\) \*/~',
 		'~/\*!40100 ON DUPLICATE KEY UPDATE id_msg = \d+ \*/~',
 	);
 	static $allowed_comments_to = array(
-		' %s ',
 		' ',
 		'',
 		'',
@@ -417,7 +415,19 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection
 	// First, we clean strings out of the query, reduce whitespace, lowercase, and trim - so we can check it over.
 	if (empty($modSettings['disableQueryCheck']))
 	{
-		$clean = trim(strtolower(preg_replace($allowed_comments_from, $allowed_comments_to, $db_string)));
+		$clean = preg_split('/(?<![\'\\\\])\'(?![\'])/', $db_string);
+
+		for ($i = 0; $i < count($clean); $i++)
+		{
+			if ($i % 2 === 1)
+				$clean[$i] = ' %s ';
+		}
+
+		$clean = trim(strtolower(preg_replace(
+			$allowed_comments_from,
+			$allowed_comments_to,
+			implode('', $clean)
+		)));
 
 		// Comments?  We don't use comments in our queries, we leave 'em outside!
 		if (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, ';') !== false)

Sources/Subs-Db-postgresql.php

@@ -379,14 +379,12 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection
 
 	// Comments that are allowed in a query are preg_removed.
 	static $allowed_comments_from = array(
-		'~(?<![\'\\\\])\'\X*?(?<![\'\\\\])\'~',
 		'~\s+~s',
 		'~/\*!40001 SQL_NO_CACHE \*/~',
 		'~/\*!40000 USE INDEX \([A-Za-z\_]+?\) \*/~',
 		'~/\*!40100 ON DUPLICATE KEY UPDATE id_msg = \d+ \*/~',
 	);
 	static $allowed_comments_to = array(
-		' %s ',
 		' ',
 		'',
 		'',
@@ -415,7 +413,19 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection
 	// First, we clean strings out of the query, reduce whitespace, lowercase, and trim - so we can check it over.
 	if (empty($modSettings['disableQueryCheck']))
 	{
-		$clean = trim(strtolower(preg_replace($allowed_comments_from, $allowed_comments_to, $db_string)));
+		$clean = preg_split('/(?<![\'\\\\])\'(?![\'])/', $db_string);
+
+		for ($i = 0; $i < count($clean); $i++)
+		{
+			if ($i % 2 === 1)
+				$clean[$i] = ' %s ';
+		}
+
+		$clean = trim(strtolower(preg_replace(
+			$allowed_comments_from,
+			$allowed_comments_to,
+			implode('', $clean)
+		)));
 
 		// Comments?  We don't use comments in our queries, we leave 'em outside!
 		if (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, ';') !== false)