Merge remote-tracking branch 'upstream/master' into context_bug

Author: gitlost

features/db-search.feature

@@ -708,6 +708,13 @@ Feature: Search through the database
       """
     Then the return code should be 1
 
+    When I try `wp db search 'unfindable' --regex --regex-delimiter='1'`
+    Then STDERR should be:
+      """
+      Error: The regex '1unfindable1' fails.
+      """
+    Then the return code should be 1
+
     When I run `wp db search '[0-9é]+?https:' --regex --regex-flags=u --before_context=0 --after_context=0`
     Then STDOUT should contain:
       """
@@ -909,6 +916,36 @@ Feature: Search through the database
       Warning: Unrecognized percent color code '%x' for 'match_color'.
       """
 
+  Scenario: Search should cater for field/table names that use reserved words or unusual characters
+    Given a WP install
+    And a esc_sql_ident.sql file:
+      """
+      CREATE TABLE `TABLE` (`KEY` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT, `VALUES` TEXT, `back``tick` TEXT, `single'double"quote` TEXT, PRIMARY KEY (`KEY`) );
+      INSERT INTO `TABLE` (`VALUES`, `back``tick`, `single'double"quote`) VALUES ('v"v`v\'v\\v_v1', 'v"v`v\'v\\v_v1', 'v"v`v\'v\\v_v1' );
+      INSERT INTO `TABLE` (`VALUES`, `back``tick`, `single'double"quote`) VALUES ('v"v`v\'v\\v_v2', 'v"v`v\'v\\v_v2', 'v"v`v\'v\\v_v2' );
+      """
+
+    When I run `wp db query "SOURCE esc_sql_ident.sql;"`
+    Then STDERR should be empty
+
+    When I run `wp db search 'v_v' TABLE`
+    Then STDOUT should be:
+      """
+      TABLE:VALUES
+      1:v"v`v'v\v_v1
+      TABLE:VALUES
+      2:v"v`v'v\v_v2
+      TABLE:back`tick
+      1:v"v`v'v\v_v1
+      TABLE:back`tick
+      2:v"v`v'v\v_v2
+      TABLE:single'double"quote
+      1:v"v`v'v\v_v1
+      TABLE:single'double"quote
+      2:v"v`v'v\v_v2
+      """
+    And STDERR should be empty
+
   Scenario: Search with matches within context
     Given a WP install
     And I run `wp option update matches_in_context '1234_XYXYX_2345678_XYXYX_2345678901_XYXYX_2345'`

src/DB_Command.php

@@ -875,20 +875,22 @@ public function search( $args, $assoc_args ) {
 				}
 				continue;
 			}
+			$table_sql = self::esc_sql_ident( $table );
 			$column_count += count( $text_columns );
 			if ( ! $primary_keys ) {
 				WP_CLI::warning( "No primary key for table '$table'. No row ids will be outputted." );
 				$primary_key = $primary_key_sql = '';
 			} else {
 				$primary_key = array_shift( $primary_keys );
-				$primary_key_sql = $primary_key . ', ';
+				$primary_key_sql = self::esc_sql_ident( $primary_key ) . ', ';
 			}
 
 			foreach ( $text_columns as $column ) {
+				$column_sql = self::esc_sql_ident( $column );
 				if ( $regex ) {
-					$results = $wpdb->get_results( "SELECT {$primary_key_sql}{$column} FROM {$table}" );
+					$results = $wpdb->get_results( "SELECT {$primary_key_sql}{$column_sql} FROM {$table_sql}" );
 				} else {
-					$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_key_sql}{$column} FROM {$table} WHERE {$column} LIKE %s;", $esc_like_search ) );
+					$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_key_sql}{$column_sql} FROM {$table_sql} WHERE {$column_sql} LIKE %s;", $esc_like_search ) );
 				}
 				if ( $results ) {
 					$row_count += count( $results );
@@ -953,12 +955,12 @@ public function search( $args, $assoc_args ) {
 
 	private static function get_create_query() {
 
-		$create_query = sprintf( 'CREATE DATABASE `%s`', DB_NAME );
+		$create_query = sprintf( 'CREATE DATABASE %s', self::esc_sql_ident( DB_NAME ) );
 		if ( defined( 'DB_CHARSET' ) && constant( 'DB_CHARSET' ) ) {
-			$create_query .= sprintf( ' DEFAULT CHARSET `%s`', constant( 'DB_CHARSET' ) );
+			$create_query .= sprintf( ' DEFAULT CHARSET %s', self::esc_sql_ident( DB_CHARSET ) );
 		}
 		if ( defined( 'DB_COLLATE' ) && constant( 'DB_COLLATE' ) ) {
-			$create_query .= sprintf( ' DEFAULT COLLATE `%s`', constant( 'DB_COLLATE' ) );
+			$create_query .= sprintf( ' DEFAULT COLLATE %s', self::esc_sql_ident( DB_COLLATE ) );
 		}
 		return $create_query;
 	}
@@ -992,10 +994,11 @@ private static function run( $cmd, $assoc_args = array(), $descriptors = null )
 	private static function get_columns( $table ) {
 		global $wpdb;
 
+		$table_sql = self::esc_sql_ident( $table );
 		$primary_keys = $text_columns = $all_columns = array();
 		$suppress_errors = $wpdb->suppress_errors();
-		if ( ( $results = $wpdb->get_results( "DESCRIBE $table" ) ) ) {
-			foreach ( $wpdb->get_results( "DESCRIBE $table" ) as $col ) {
+		if ( ( $results = $wpdb->get_results( "DESCRIBE $table_sql" ) ) ) {
+			foreach ( $results as $col ) {
 				if ( 'PRI' === $col->Key ) {
 					$primary_keys[] = $col->Field;
 				}
@@ -1045,6 +1048,24 @@ private static function esc_like( $old ) {
 		return $old;
 	}
 
+	/**
+	 * Escapes (backticks) MySQL identifiers (aka schema object names) - i.e. column names, table names, and database/index/alias/view etc names.
+	 * See https://dev.mysql.com/doc/refman/5.5/en/identifiers.html
+	 *
+	 * @param string|array $idents A single identifier or an array of identifiers.
+	 * @return string|array An escaped string if given a string, or an array of escaped strings if given an array of strings.
+	 */
+	private static function esc_sql_ident( $idents ) {
+		$backtick = function ( $v ) {
+			// Escape any backticks in the identifier by doubling.
+			return '`' . str_replace( '`', '``', $v ) . '`';
+		};
+		if ( is_string( $idents ) ) {
+			return $backtick( $idents );
+		}
+		return array_map( $backtick, $idents );
+	}
+
 	/**
 	 * Gets the color codes from the options if any, and returns the passed in array colorized with 2 elements per entry, a color code (or '') and a reset (or '').
 	 *