Merge pull request #40 from wp-cli/esc_sql_ident

schlessera · web-flow · commit 150179633f0e · 2017-08-30T07:29:01.000+02:00
Cater for reserved word column/table names in db search.
diff --git a/features/db-search.feature b/features/db-search.feature
@@ -915,3 +915,33 @@ Feature: Search through the database
       """
       Warning: Unrecognized percent color code '%x' for 'match_color'.
       """
+
+  Scenario: Search should cater for field/table names that use reserved words or unusual characters
+    Given a WP install
+    And a esc_sql_ident.sql file:
+      """
+      CREATE TABLE `TABLE` (`KEY` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT, `VALUES` TEXT, `back``tick` TEXT, `single'double"quote` TEXT, PRIMARY KEY (`KEY`) );
+      INSERT INTO `TABLE` (`VALUES`, `back``tick`, `single'double"quote`) VALUES ('v"v`v\'v\\v_v1', 'v"v`v\'v\\v_v1', 'v"v`v\'v\\v_v1' );
+      INSERT INTO `TABLE` (`VALUES`, `back``tick`, `single'double"quote`) VALUES ('v"v`v\'v\\v_v2', 'v"v`v\'v\\v_v2', 'v"v`v\'v\\v_v2' );
+      """
+
+    When I run `wp db query "SOURCE esc_sql_ident.sql;"`
+    Then STDERR should be empty
+
+    When I run `wp db search 'v_v' TABLE`
+    Then STDOUT should be:
+      """
+      TABLE:VALUES
+      1:v"v`v'v\v_v1
+      TABLE:VALUES
+      2:v"v`v'v\v_v2
+      TABLE:back`tick
+      1:v"v`v'v\v_v1
+      TABLE:back`tick
+      2:v"v`v'v\v_v2
+      TABLE:single'double"quote
+      1:v"v`v'v\v_v1
+      TABLE:single'double"quote
+      2:v"v`v'v\v_v2
+      """
+    And STDERR should be empty
diff --git a/src/DB_Command.php b/src/DB_Command.php
@@ -883,20 +883,22 @@ public function search( $args, $assoc_args ) {
 				}
 				continue;
 			}
+			$table_sql = self::esc_sql_ident( $table );
 			$column_count += count( $text_columns );
 			if ( ! $primary_keys ) {
 				WP_CLI::warning( "No primary key for table '$table'. No row ids will be outputted." );
 				$primary_key = $primary_key_sql = '';
 			} else {
 				$primary_key = array_shift( $primary_keys );
-				$primary_key_sql = $primary_key . ', ';
+				$primary_key_sql = self::esc_sql_ident( $primary_key ) . ', ';
 			}
 
 			foreach ( $text_columns as $column ) {
+				$column_sql = self::esc_sql_ident( $column );
 				if ( $regex ) {
-					$results = $wpdb->get_results( "SELECT {$primary_key_sql}{$column} FROM {$table}" );
+					$results = $wpdb->get_results( "SELECT {$primary_key_sql}{$column_sql} FROM {$table_sql}" );
 				} else {
-					$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_key_sql}{$column} FROM {$table} WHERE {$column} LIKE %s;", $esc_like_search ) );
+					$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_key_sql}{$column_sql} FROM {$table_sql} WHERE {$column_sql} LIKE %s;", $esc_like_search ) );
 				}
 				if ( $results ) {
 					$row_count += count( $results );
@@ -966,12 +968,12 @@ public function search( $args, $assoc_args ) {
 
 	private static function get_create_query() {
 
-		$create_query = sprintf( 'CREATE DATABASE `%s`', DB_NAME );
+		$create_query = sprintf( 'CREATE DATABASE %s', self::esc_sql_ident( DB_NAME ) );
 		if ( defined( 'DB_CHARSET' ) && constant( 'DB_CHARSET' ) ) {
-			$create_query .= sprintf( ' DEFAULT CHARSET `%s`', constant( 'DB_CHARSET' ) );
+			$create_query .= sprintf( ' DEFAULT CHARSET %s', self::esc_sql_ident( DB_CHARSET ) );
 		}
 		if ( defined( 'DB_COLLATE' ) && constant( 'DB_COLLATE' ) ) {
-			$create_query .= sprintf( ' DEFAULT COLLATE `%s`', constant( 'DB_COLLATE' ) );
+			$create_query .= sprintf( ' DEFAULT COLLATE %s', self::esc_sql_ident( DB_COLLATE ) );
 		}
 		return $create_query;
 	}
@@ -1005,10 +1007,11 @@ private static function run( $cmd, $assoc_args = array(), $descriptors = null )
 	private static function get_columns( $table ) {
 		global $wpdb;
 
+		$table_sql = self::esc_sql_ident( $table );
 		$primary_keys = $text_columns = $all_columns = array();
 		$suppress_errors = $wpdb->suppress_errors();
-		if ( ( $results = $wpdb->get_results( "DESCRIBE $table" ) ) ) {
-			foreach ( $wpdb->get_results( "DESCRIBE $table" ) as $col ) {
+		if ( ( $results = $wpdb->get_results( "DESCRIBE $table_sql" ) ) ) {
+			foreach ( $results as $col ) {
 				if ( 'PRI' === $col->Key ) {
 					$primary_keys[] = $col->Field;
 				}
@@ -1058,6 +1061,24 @@ private static function esc_like( $old ) {
 		return $old;
 	}
 
+	/**
+	 * Escapes (backticks) MySQL identifiers (aka schema object names) - i.e. column names, table names, and database/index/alias/view etc names.
+	 * See https://dev.mysql.com/doc/refman/5.5/en/identifiers.html
+	 *
+	 * @param string|array $idents A single identifier or an array of identifiers.
+	 * @return string|array An escaped string if given a string, or an array of escaped strings if given an array of strings.
+	 */
+	private static function esc_sql_ident( $idents ) {
+		$backtick = function ( $v ) {
+			// Escape any backticks in the identifier by doubling.
+			return '`' . str_replace( '`', '``', $v ) . '`';
+		};
+		if ( is_string( $idents ) ) {
+			return $backtick( $idents );
+		}
+		return array_map( $backtick, $idents );
+	}
+
 	/**
 	 * Gets the color codes from the options if any, and returns the passed in array colorized with 2 elements per entry, a color code (or '') and a reset (or '').
 	 *
