diff options
author | Rick Ellis <rick.ellis@ellislab.com> | 2008-10-17 06:07:40 +0200 |
---|---|---|
committer | Rick Ellis <rick.ellis@ellislab.com> | 2008-10-17 06:07:40 +0200 |
commit | 59523592c58abc303a6eae1904c80fa6a428c3d3 (patch) | |
tree | bb27e7ac32d6b79c1ae5d5ddf33c8bc84436a228 /system/database/DB_driver.php | |
parent | e3945e9452fdaa155ad3a0ce51b591d3b12ccfe0 (diff) |
Fixed a number of bug reports related to table/db names not being escaped or prefixed correctly.
Diffstat (limited to 'system/database/DB_driver.php')
-rw-r--r-- | system/database/DB_driver.php | 334 |
1 files changed, 222 insertions, 112 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 572595f42..9508ded8c 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -61,6 +61,9 @@ class CI_DB_driver { var $cache_autodel = FALSE;
var $CACHE; // The cache class object
+ // Private variables
+ var $_protect_identifiers = TRUE;
+ var $_reserved_identifiers = array('*'); // Identifiers that should NOT be escaped
// These are use with Oracle
var $stmt_id;
@@ -97,19 +100,21 @@ class CI_DB_driver { * @param mixed
* @return void
*/
- function initialize($create_db = FALSE)
+ function initialize()
{
- // If an existing DB connection resource is supplied
+ // If an existing connection resource is available
// there is no need to connect and select the database
if (is_resource($this->conn_id) OR is_object($this->conn_id))
{
return TRUE;
}
+
+ // ----------------------------------------------------------------
- // Connect to the database
+ // Connect to the database and set the connection ID
$this->conn_id = ($this->pconnect == FALSE) ? $this->db_connect() : $this->db_pconnect();
- // No connection? Throw an error
+ // No connection resource? Throw an error
if ( ! $this->conn_id)
{
log_message('error', 'Unable to connect to the database');
@@ -121,70 +126,30 @@ class CI_DB_driver { return FALSE;
}
- // Select the database
+ // ----------------------------------------------------------------
+
+ // Select the DB... assuming a database name is specified in the config file
if ($this->database != '')
{
if ( ! $this->db_select())
{
- // Should we attempt to create the database?
- if ($create_db == TRUE)
- {
- // Load the DB utility class
- $CI =& get_instance();
- $CI->load->dbutil();
-
- // Create the DB
- if ( ! $CI->dbutil->create_database($this->database))
- {
- log_message('error', 'Unable to create database: '.$this->database);
-
- if ($this->db_debug)
- {
- $this->display_error('db_unable_to_create', $this->database);
- }
- return FALSE;
- }
- else
- {
- // In the event the DB was created we need to select it
- if ($this->db_select())
- {
- if ( ! $this->db_set_charset($this->char_set, $this->dbcollat))
- {
- log_message('error', 'Unable to set database connection charset: '.$this->char_set);
-
- if ($this->db_debug)
- {
- $this->display_error('db_unable_to_set_charset', $this->char_set);
- }
-
- return FALSE;
- }
-
- return TRUE;
- }
- }
- }
-
log_message('error', 'Unable to select database: '.$this->database);
if ($this->db_debug)
{
$this->display_error('db_unable_to_select', $this->database);
}
- return FALSE;
+ return FALSE;
}
-
- if ( ! $this->db_set_charset($this->char_set, $this->dbcollat))
+ else
{
- log_message('error', 'Unable to set database connection charset: '.$this->char_set);
-
- if ($this->db_debug)
+ // We've selected the DB. Now we set the character set
+ if ( ! $this->db_set_charset($this->char_set, $this->dbcollat))
{
- $this->display_error('db_unable_to_set_charset', $this->char_set);
+ return FALSE;
}
-
- return FALSE;
+
+ return TRUE;
}
}
@@ -194,6 +159,33 @@ class CI_DB_driver { // --------------------------------------------------------------------
/**
+ * Set client character set
+ *
+ * @access public
+ * @param string
+ * @param string
+ * @return resource
+ */
+ function db_set_charset($charset, $collation)
+ {
+ if ( ! $this->_db_set_charset($this->char_set, $this->dbcollat))
+ {
+ log_message('error', 'Unable to set database connection charset: '.$this->char_set);
+
+ if ($this->db_debug)
+ {
+ $this->display_error('db_unable_to_set_charset', $this->char_set);
+ }
+
+ return FALSE;
+ }
+
+ return TRUE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* The name of the platform in use (mysql, mssql, etc...)
*
* @access public
@@ -667,23 +659,6 @@ class CI_DB_driver { {
return end($this->queries);
}
-
- // --------------------------------------------------------------------
-
- /**
- * Protect Identifiers
- *
- * This function adds backticks if appropriate based on db type
- *
- * @access private
- * @param mixed the item to escape
- * @param boolean only affect the first word
- * @return mixed the item with backticks
- */
- function protect_identifiers($item, $first_word_only = FALSE)
- {
- return $this->_protect_identifiers($item, $first_word_only);
- }
// --------------------------------------------------------------------
@@ -791,8 +766,8 @@ class CI_DB_driver { * @return boolean
*/
function table_exists($table_name)
- {
- return ( ! in_array($this->prep_tablename($table_name), $this->list_tables())) ? FALSE : TRUE;
+ {
+ return ( ! in_array($this->_protect_identifiers($table_name, TRUE, NULL, FALSE), $this->list_tables())) ? FALSE : TRUE;
}
// --------------------------------------------------------------------
@@ -821,7 +796,7 @@ class CI_DB_driver { return FALSE;
}
- if (FALSE === ($sql = $this->_list_columns($this->prep_tablename($table))))
+ if (FALSE === ($sql = $this->_list_columns($this->_protect_identifiers($table, TRUE, NULL, FALSE))))
{
if ($this->db_debug)
{
@@ -866,16 +841,6 @@ class CI_DB_driver { // --------------------------------------------------------------------
/**
- * DEPRECATED - use list_fields()
- */
- function field_names($table = '')
- {
- return $this->list_fields($table);
- }
-
- // --------------------------------------------------------------------
-
- /**
* Returns an object with field data
*
* @access public
@@ -893,7 +858,8 @@ class CI_DB_driver { return FALSE;
}
- $query = $this->query($this->_field_data($this->prep_tablename($table)));
+ $query = $this->query($this->_field_data($this->_protect_identifiers($table, TRUE, NULL, FALSE)));
+
return $query->field_data();
}
@@ -914,11 +880,11 @@ class CI_DB_driver { foreach($data as $key => $val)
{
- $fields[] = $this->_escape_column($key);
+ $fields[] = $this->_escape_identifiers($key);
$values[] = $this->escape($val);
}
- return $this->_insert($this->prep_tablename($table), $fields, $values);
+ return $this->_insert($this->_protect_identifiers($table, TRUE, NULL, FALSE), $fields, $values);
}
// --------------------------------------------------------------------
@@ -942,7 +908,7 @@ class CI_DB_driver { $fields = array();
foreach($data as $key => $val)
{
- $fields[$this->_escape_column($key)] = $this->escape($val);
+ $fields[$this->_protect_identifiers($key)] = $this->escape($val);
}
if ( ! is_array($where))
@@ -970,7 +936,7 @@ class CI_DB_driver { }
}
- return $this->_update($this->prep_tablename($table), $fields, $dest);
+ return $this->_update($this->_protect_identifiers($table, TRUE, NULL, FALSE), $fields, $dest);
}
// --------------------------------------------------------------------
@@ -992,29 +958,6 @@ class CI_DB_driver { return TRUE;
}
-
- // --------------------------------------------------------------------
-
- /**
- * Prep the table name - simply adds the table prefix if needed
- *
- * @access public
- * @param string the table name
- * @return string
- */
- function prep_tablename($table = '')
- {
- // Do we need to add the table prefix?
- if ($this->dbprefix != '')
- {
- if (substr($table, 0, strlen($this->dbprefix)) != $this->dbprefix)
- {
- $table = $this->dbprefix.$table;
- }
- }
-
- return $table;
- }
// --------------------------------------------------------------------
@@ -1201,7 +1144,174 @@ class CI_DB_driver { echo $error->show_error($heading, $message, 'error_db');
exit;
}
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Protect Identifiers
+ *
+ * This function adds backticks if appropriate based on db type
+ *
+ * @access private
+ * @param mixed the item to escape
+ * @return mixed the item with backticks
+ */
+ function protect_identifiers($item, $prefix_single = FALSE)
+ {
+ return $this->_protect_identifiers($item, $prefix_single);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Protect Identifiers
+ *
+ * This function is used extensively by the Active Record class, and by
+ * a couple functions in this class.
+ * It takes a column or table name (optionally with an alias) and inserts
+ * the table prefix onto it. Some logic is necessary in order to deal with
+ * column names that include the path. Consider a query like this:
+ *
+ * SELECT * FROM hostname.database.table.column AS c FROM hostname.database.table
+ *
+ * Or a query with aliasing:
+ *
+ * SELECT m.member_id, m.member_name FROM members AS m
+ *
+ * Since the column name can include up to four segments (host, DB, table, column)
+ * or also have an alias prefix, we need to do a bit of work to figure this out and
+ * insert the table prefix (if it exists) in the proper position, and escape only
+ * the correct identifiers.
+ *
+ * @access private
+ * @param string
+ * @param bool
+ * @param mixed
+ * @param bool
+ * @return string
+ */
+ function _protect_identifiers($item, $prefix_single = FALSE, $protect_identifiers = NULL, $field_exists = TRUE)
+ {
+ if ( ! is_bool($protect_identifiers))
+ {
+ $protect_identifiers = $this->_protect_identifiers;
+ }
+
+ // Convert tabs or multiple spaces into single spaces
+ $item = preg_replace('/[\t| ]+/', ' ', $item);
+ // If the item has an alias declaration we remove it and set it aside.
+ // Basically we remove everything to the right of the first space
+ $alias = '';
+ if (strpos($item, ' ') !== FALSE)
+ {
+ $alias = strstr($item, " ");
+ $item = substr($item, 0, - strlen($alias));
+ }
+
+ // Break the string apart if it contains periods, then insert the table prefix
+ // in the correct location, assuming the period doesn't indicate that we're dealing
+ // with an alias. While we're at it, we will escape the components
+ if (strpos($item, '.') !== FALSE)
+ {
+ $parts = explode('.', $item);
+
+ // Does the first segment of the exploded item match
+ // one of the aliases previously identified? If so,
+ // we have nothing more to do other then escape the item
+ if (in_array($parts[0], $this->ar_aliased_tables))
+ {
+ if ($protect_identifiers === TRUE)
+ {
+ foreach ($parts as $key => $val)
+ {
+ if ( ! in_array($val, $this->_reserved_identifiers))
+ {
+ $parts[$key] = $this->_escape_identifiers($val);
+ }
+ }
+
+ $item = implode('.', $parts);
+ }
+ return $item.$alias;
+ }
+
+ // Is there a table prefix defined in the config file? If not, no need to do anything
+ if ($this->dbprefix != '')
+ {
+ // We now add the table prefix based on some logic.
+ // Do we have 4 segments (hostname.database.table.column)?
+ // If so, we add the table prefix to the column name in the 3rd segment.
+ if (isset($parts[3]))
+ {
+ $i = 2;
+ }
+ // Do we have 3 segments (database.table.column)?
+ // If so, we add the table prefix to the column name in 2nd position
+ elseif (isset($parts[2]))
+ {
+ $i = 1;
+ }
+ // Do we have 2 segments (table.column)?
+ // If so, we add the table prefix to the column name in 1st segment
+ else
+ {
+ $i = 0;
+ }
+
+ // This flag is set when the supplied $item does not contain a field name.
+ // This can happen when this function is being called from a JOIN.
+ if ($field_exists == FALSE)
+ {
+ $i++;
+ }
+
+ // We only add the table prefix if it does not already exist
+ if (substr($parts[$i], 0, strlen($this->dbprefix)) != $this->dbprefix)
+ {
+ $parts[$i] = $this->dbprefix.$parts[$i];
+ }
+
+ // Put the parts back together
+ $item = implode('.', $parts);
+ }
+
+ if ($protect_identifiers === TRUE)
+ {
+ $item = $this->_escape_identifiers($item);
+ }
+
+ return $item.$alias;
+ }
+
+ // This is basically a bug fix for queries that use MAX, MIN, etc.
+ // If a parenthesis is found we know that we do not need to
+ // escape the data or add a prefix. There's probably a more graceful
+ // way to deal with this, but I'm not thinking of it -- Rick
+ if (strpos($item, '(') !== FALSE)
+ {
+ return $item.$alias;
+ }
+
+ // Is there a table prefix? If not, no need to insert it
+ if ($this->dbprefix != '')
+ {
+ // Do we prefix an item with no segments?
+ if ($prefix_single == TRUE AND substr($item, 0, strlen($this->dbprefix)) != $this->dbprefix)
+ {
+ $item = $this->dbprefix.$item;
+ }
+ }
+
+ if ($protect_identifiers === TRUE AND ! in_array($item, $this->_reserved_identifiers))
+ {
+ $item = $this->_escape_identifiers($item);
+ }
+
+ return $item.$alias;
+ }
+
+
}
|