Skip to content

Commit c74c54e

Browse files
SesquipedalianSesquipedalian
authored
Merge pull request #8870 from Sesquipedalian/3.0/db_query_check_redux
[3.0] Further simplifies code in db query check
2 parents a95b999 + b0a5c7e commit c74c54e

File tree

2 files changed

+26
-6
lines changed

2 files changed

+26
-6
lines changed

Sources/Db/APIs/MySQL.php

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -128,14 +128,12 @@ public function query(string $db_string, array $db_values = [], ?object $connect
128128
{
129129
// Comments that are allowed in a query are preg_removed.
130130
$allowed_comments_from = [
131-
'~(?<![\'\\\\])\'(?' . '>\'\'|\\\\\'|[^\'])*?\'(?![\'])~',
132131
'~\s+~s',
133132
'~/\*!40001 SQL_NO_CACHE \*/~',
134133
'~/\*!40000 USE INDEX \([A-Za-z\_]+?\) \*/~',
135134
'~/\*!40100 ON DUPLICATE KEY UPDATE id_msg = \d+ \*/~',
136135
];
137136
$allowed_comments_to = [
138-
' %s ',
139137
' ',
140138
'',
141139
'',
@@ -170,7 +168,19 @@ public function query(string $db_string, array $db_values = [], ?object $connect
170168

171169
// First, we clean strings out of the query, reduce whitespace, lowercase, and trim - so we can check it over.
172170
if (!$this->disableQueryCheck) {
173-
$clean = trim(strtolower((string) preg_replace($allowed_comments_from, $allowed_comments_to, $db_string)));
171+
$clean = preg_split('/(?<![\'\\\\])\'(?![\'])/', $db_string);
172+
173+
for ($i = 0; $i < \count($clean); $i++) {
174+
if ($i % 2 === 1) {
175+
$clean[$i] = ' %s ';
176+
}
177+
}
178+
179+
$clean = trim(strtolower(preg_replace(
180+
$allowed_comments_from,
181+
$allowed_comments_to,
182+
implode('', $clean),
183+
)));
174184

175185
if (
176186
// Empty string?

Sources/Db/APIs/PostgreSQL.php

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -176,14 +176,12 @@ public function query(string $db_string, array $db_values = [], ?object $connect
176176

177177
// Comments that are allowed in a query are preg_removed.
178178
$allowed_comments_from = [
179-
'~(?<![\'\\\\])\'(?' . '>\'\'|\\\\\'|[^\'])*?\'(?![\'])~',
180179
'~\s+~s',
181180
'~/\*!40001 SQL_NO_CACHE \*/~',
182181
'~/\*!40000 USE INDEX \([A-Za-z\_]+?\) \*/~',
183182
'~/\*!40100 ON DUPLICATE KEY UPDATE id_msg = \d+ \*/~',
184183
];
185184
$allowed_comments_to = [
186-
' %s ',
187185
' ',
188186
'',
189187
'',
@@ -217,7 +215,19 @@ public function query(string $db_string, array $db_values = [], ?object $connect
217215

218216
// First, we clean strings out of the query, reduce whitespace, lowercase, and trim - so we can check it over.
219217
if (!$this->disableQueryCheck) {
220-
$clean = trim(strtolower((string) preg_replace($allowed_comments_from, $allowed_comments_to, $db_string)));
218+
$clean = preg_split('/(?<![\'\\\\])\'(?![\'])/', $db_string);
219+
220+
for ($i = 0; $i < \count($clean); $i++) {
221+
if ($i % 2 === 1) {
222+
$clean[$i] = ' %s ';
223+
}
224+
}
225+
226+
$clean = trim(strtolower(preg_replace(
227+
$allowed_comments_from,
228+
$allowed_comments_to,
229+
implode('', $clean),
230+
)));
221231

222232
if (
223233
// Empty string?

0 commit comments

Comments
 (0)