From e32d8e9113257dca64ec205e78255cc2d6cc6813 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Sat, 1 Feb 2020 15:57:46 +0100 Subject: [PATCH] Fixes #5869 Tablenames not properly escaped --- extension/Classes/Core/AbstractBuildForm.php | 10 +++++----- extension/Classes/Core/BuildFormBootstrap.php | 2 +- extension/Classes/Core/Constants.php | 16 ++++++++-------- extension/Classes/Core/Database/Database.php | 4 ++-- .../Classes/Core/Database/DatabaseUpdate.php | 8 ++++---- .../Core/Database/DatabaseUpdateData.php | 14 +++++++------- extension/Classes/Core/Delete.php | 6 +++--- .../Core/Exception/AbstractException.php | 2 +- extension/Classes/Core/Form/Dirty.php | 12 ++++++------ extension/Classes/Core/Form/DragAndDrop.php | 2 +- extension/Classes/Core/Form/FormAction.php | 12 ++++++------ extension/Classes/Core/QuickFormQuery.php | 18 +++++++++--------- extension/Classes/Core/Report/Download.php | 2 +- extension/Classes/Core/Report/SendMail.php | 16 +++++++++++----- extension/Classes/Core/Report/Tablesorter.php | 4 ++-- extension/Classes/Core/Save.php | 8 ++++---- extension/Classes/Core/Store/FillStoreForm.php | 2 +- extension/Classes/Core/Store/Store.php | 2 +- 18 files changed, 73 insertions(+), 67 deletions(-) diff --git a/extension/Classes/Core/AbstractBuildForm.php b/extension/Classes/Core/AbstractBuildForm.php index e9ffea52..c58926e7 100644 --- a/extension/Classes/Core/AbstractBuildForm.php +++ b/extension/Classes/Core/AbstractBuildForm.php @@ -253,7 +253,7 @@ abstract class AbstractBuildForm { $this->store->setStore($row, STORE_PARENT_RECORD, true); $this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible. - $record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE id=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1); + $record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE `id`=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1); $this->store->setStore($record, STORE_RECORD, true); $jsonTmp = array(); @@ -555,7 +555,7 @@ abstract class AbstractBuildForm { $record = array(); if ($recordId != 0) { - $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to load not found."); + $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to load not found."); } return OnArray::getMd5($record); @@ -742,7 +742,7 @@ abstract class AbstractBuildForm { $primaryKey = $this->formSpec[F_PRIMARY_KEY]; if ($recordId > 0 && $this->store->getVar($primaryKey, STORE_RECORD) === false) { $tableName = $this->formSpec[F_TABLE_NAME]; - $row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey = ?", ROW_EXPECT_1, + $row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey` = ?", ROW_EXPECT_1, array($recordId), "Form '" . $this->formSpec[F_NAME] . "' failed to load record '$primaryKey'='$recordId' from table '" . $this->formSpec[F_TABLE_NAME] . "'."); $this->store->setStore($row, STORE_RECORD); @@ -2108,7 +2108,7 @@ abstract class AbstractBuildForm { } elseif (!empty($formElement[SUBRECORD_PARAMETER_FORM])) { // Read table from form specified in subrecord $formName = $formElement[SUBRECORD_PARAMETER_FORM]; - $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f." . F_NAME . " LIKE ? AND f.deleted='no'", + $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`" . F_NAME . "` LIKE ? AND `f`.`deleted`='no'", ROW_REGULAR, [$formName]); if (count($form) > 0) { $dndTable = $form[0][F_TABLE_NAME]; @@ -2371,7 +2371,7 @@ abstract class AbstractBuildForm { * @throws \UserFormException */ private function getFormTable($formName) { - $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT " . F_TABLE_NAME . " FROM Form AS f WHERE f.name = ?", ROW_EXPECT_0_1, [$formName]); + $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `" . F_TABLE_NAME . "` FROM `Form` AS f WHERE `f`.`name` = ?", ROW_EXPECT_0_1, [$formName]); if (isset($row[F_TABLE_NAME])) { return $row[F_TABLE_NAME]; } diff --git a/extension/Classes/Core/BuildFormBootstrap.php b/extension/Classes/Core/BuildFormBootstrap.php index b78641ab..3d4a2d28 100644 --- a/extension/Classes/Core/BuildFormBootstrap.php +++ b/extension/Classes/Core/BuildFormBootstrap.php @@ -252,7 +252,7 @@ class BuildFormBootstrap extends AbstractBuildForm { break; case 'formElement': if (false !== ($formId = $this->store->getVar(FE_FORM_ID, STORE_SIP . STORE_RECORD))) { - $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT f.name FROM Form AS f WHERE id=" . $formId, ROW_EXPECT_1); + $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `f`.`name` FROM `Form` AS f WHERE `id`=" . $formId, ROW_EXPECT_1); $form = current($row); } break; diff --git a/extension/Classes/Core/Constants.php b/extension/Classes/Core/Constants.php index ce13fabd..8d24f7c3 100644 --- a/extension/Classes/Core/Constants.php +++ b/extension/Classes/Core/Constants.php @@ -63,15 +63,15 @@ const RETURN_URL = 'return_url'; const RETURN_SIP = 'return_sip'; const RETURN_ARRAY = 'return_array'; -const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ?"; -const SQL_FORM_ELEMENT_RAW = "SELECT * FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; -const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.feIdContainer = ? AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; -const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; -const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT fe.id, fe.feIdContainer, fe.name, fe.value, fe.label, fe.type, fe.encode, fe.checkType, fe.checkPattern, fe.mode, fe.modeSql, fe.parameter, fe.dynamicUpdate FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; -const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT fe.id, fe.name, fe.label, fe.maxLength, fe.parameter FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; -const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ? AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' "; +const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ?"; +const SQL_FORM_ELEMENT_RAW = "SELECT * FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`"; +const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS fe WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`feIdContainer` = ? AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`"; +const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`"; +const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT `fe`.`id`, `fe`.`feIdContainer`, `fe`.`name`, `fe`.`value`, `fe`.`label`, `fe`.`type`, `fe`.`encode`, `fe`.`checkType`, `fe`.`checkPattern`, `fe`.`mode`, `fe`.`modeSql`, `fe`.`parameter`, `fe`.`dynamicUpdate` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'native' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`"; +const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT `fe`.`id`, `fe`.`name`, `fe`.`label`, `fe`.`maxLength`, `fe`.`parameter` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`"; +const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ? AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' "; //const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes'"; -const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND (fe.class = 'native' OR (fe.class = 'container' AND fe.type='pill')) AND fe.enabled='yes'"; +const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT `fe`.*, IFNULL(`feTg`.`maxLength`,0) AS _tgCopies FROM `FormElement` AS fe LEFT JOIN `FormElement` AS feTg ON `fe`.`feIdContainer`=`feTg`.`id` AND `feTg`.`deleted` = 'no' AND `feTg`.`class` = 'container' AND `feTg`.`type`='templateGroup' AND `feTg`.`enabled`='yes' WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND (`fe`.`class` = 'native' OR (`fe`.`class` = 'container' AND `fe`.`type`='pill')) AND `fe`.`enabled`='yes'"; const NAME_TG_COPIES = '_tgCopies'; // Number of templatesGroup copies to create on the fly. Also used in SQL_FORM_ELEMENT_NATIVE_TG_COUNT. const FE_TG_INDEX = '_tgIndex'; // Index of the current copy of a templateGroup FE. diff --git a/extension/Classes/Core/Database/Database.php b/extension/Classes/Core/Database/Database.php index 1d8bd050..2390d08b 100644 --- a/extension/Classes/Core/Database/Database.php +++ b/extension/Classes/Core/Database/Database.php @@ -1055,7 +1055,7 @@ class Database { */ public function deleteSplitFileAndRecord($xId, $tableName) { - $sql = 'SELECT pathFileName FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?'; + $sql = 'SELECT `pathFileName` FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?'; $data = $this->sql($sql, ROW_REGULAR, [$tableName, $xId]); foreach ($data AS $row) { @@ -1064,7 +1064,7 @@ class Database { } } - $this->sql('DELETE FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?', ROW_REGULAR, [$tableName, $xId]); + $this->sql('DELETE FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?', ROW_REGULAR, [$tableName, $xId]); } } \ No newline at end of file diff --git a/extension/Classes/Core/Database/DatabaseUpdate.php b/extension/Classes/Core/Database/DatabaseUpdate.php index d571d995..9404b23c 100644 --- a/extension/Classes/Core/Database/DatabaseUpdate.php +++ b/extension/Classes/Core/Database/DatabaseUpdate.php @@ -201,14 +201,14 @@ class DatabaseUpdate { if (defined('PHPUNIT_QFQ')) { $res = array(); } else { - $res = $this->db->sql("SELECT uid, header, bodytext FROM " . $dbT3 . ".tt_content WHERE CType='qfq_qfq' AND deleted=0;"); + $res = $this->db->sql("SELECT `uid`, `header`, `bodytext` FROM `" . $dbT3 . "`.`tt_content` WHERE `CType`='qfq_qfq' AND `deleted`=0;"); } foreach ($res as $i => $tt_content) { $replaced_placeholder = preg_replace($patterns, '${1}' . $placeholder . '${2}', $tt_content['bodytext']); if (strpos($replaced_placeholder, $placeholder) !== false) { if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) { $replace = str_replace($placeholder, '_', $replaced_placeholder); - $query = "UPDATE " . $dbT3 . ".tt_content SET bodytext='" . addslashes($replace) . "' WHERE uid='" . $tt_content['uid'] . "'"; + $query = "UPDATE `" . $dbT3 . "`.`tt_content` SET `bodytext`='" . addslashes($replace) . "' WHERE `uid`='" . $tt_content['uid'] . "'"; $this->db->sql($query); } $message_fe .= '
' . $tt_content['header'] . ' [uid:' . $tt_content['uid'] . ']

'; @@ -226,7 +226,7 @@ class DatabaseUpdate { if (defined('PHPUNIT_QFQ')) { $res = array(); } else { - $res = $this->db->sql("SELECT fe.id, fe.name, fe.value, fe.note FROM FormElement as fe WHERE fe.type='note' AND fe.value LIKE '#!report%' OR fe.note LIKE '%#!report%';"); + $res = $this->db->sql("SELECT `fe`.`id`, `fe`.`name`, `fe`.`value`, `fe`.`note` FROM `FormElement` AS fe WHERE `fe`.`type`='note' AND `fe`.`value` LIKE '#!report%' OR `fe`.`note` LIKE '%#!report%';"); } foreach ($res as $i => $tt_content) { @@ -235,7 +235,7 @@ class DatabaseUpdate { if (strpos($replaced_placeholder, $placeholder) !== false) { if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) { $replace = str_replace($placeholder, '_', $replaced_placeholder); - $query = "UPDATE FormElement SET " . $columnName . "='" . addslashes($replace) . "' WHERE id='" . $tt_content['id'] . "'"; + $query = "UPDATE `FormElement` SET `" . $columnName . "`='" . addslashes($replace) . "' WHERE `id`='" . $tt_content['id'] . "'"; $this->db->sql($query); } $message_ttc .= '
' . $tt_content['name'] . ' [id:' . $tt_content['id'] . '] (FormElement.' . $columnName . ')

'; diff --git a/extension/Classes/Core/Database/DatabaseUpdateData.php b/extension/Classes/Core/Database/DatabaseUpdateData.php index c407cca7..1ec9c570 100644 --- a/extension/Classes/Core/Database/DatabaseUpdateData.php +++ b/extension/Classes/Core/Database/DatabaseUpdateData.php @@ -23,7 +23,7 @@ $UPDATE_ARRAY = array( ], '0.15.0' => [ - "UPDATE FormElement SET parameter = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')", + "UPDATE `FormElement` SET `parameter` = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')", "ALTER TABLE `FormElement` CHANGE `placeholder` `placeholder` VARCHAR( 2048 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '' ", ], @@ -44,7 +44,7 @@ $UPDATE_ARRAY = array( '0.18.0' => [ "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'page', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", - "UPDATE Form SET forwardMode='url' WHERE forwardMode='page'", + "UPDATE `Form` SET `forwardMode`='url' WHERE `forwardMode`='page'", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", ], @@ -57,7 +57,7 @@ $UPDATE_ARRAY = array( "ALTER TABLE `Form` ADD `dirtyMode` ENUM( 'exclusive', 'advisory', 'none' ) NOT NULL DEFAULT 'exclusive' AFTER `requiredParameter`", "ALTER TABLE `Form` ADD `recordLockTimeoutSeconds` INT NOT NULL DEFAULT '900' AFTER `parameter`", "CREATE TABLE IF NOT EXISTS `Period` (`id` INT(11) NOT NULL AUTO_INCREMENT, `start` DATETIME NOT NULL, `name` VARCHAR(255) NOT NULL, `modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `created` DATETIME NOT NULL, PRIMARY KEY (`id`), KEY `start` (`start`)) ENGINE = InnoDB DEFAULT CHARSET = utf8 AUTO_INCREMENT = 0;", - "INSERT INTO Period (start, name, created) VALUES (NOW(), 'dummy', NOW());" + "INSERT INTO `Period` (`start`, `name`, `created`) VALUES (NOW(), 'dummy', NOW());" ], '0.19.2' => [ @@ -79,7 +79,7 @@ $UPDATE_ARRAY = array( '0.21.0' => [ "ALTER TABLE `Form` CHANGE `requiredParameter` `requiredParameterNew` VARCHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT ''", "ALTER TABLE `Form` ADD `requiredParameterEdit` VARCHAR( 255 ) NOT NULL AFTER `requiredParameterNew`", - "UPDATE Form SET requiredParameterEdit=requiredParameterNew", + "UPDATE `Form` SET `requiredParameterEdit`=requiredParameterNew", ], '0.24.0' => [ @@ -103,7 +103,7 @@ $UPDATE_ARRAY = array( ], '0.25.11' => [ - "UPDATE FormElement SET checkType = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''", + "UPDATE `FormElement` SET `checkType` = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''", "ALTER TABLE `FormElement` CHANGE `checkType` `checkType` ENUM('alnumx','digit','numerical','email','pattern','allbut','all') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'alnumx';", ], @@ -120,7 +120,7 @@ $UPDATE_ARRAY = array( '18.6.0' => [ "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'client','no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", - "UPDATE `Form` SET forwardMode='auto' WHERE forwardMode='client'", + "UPDATE `Form` SET `forwardMode`='auto' WHERE `forwardMode`='client'", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'close', 'no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';", ], @@ -147,7 +147,7 @@ $UPDATE_ARRAY = array( '19.3.2' => [ "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto','close','no','url','url-skip-history','url-sip','url-sip-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';", - "UPDATE `Form` SET forwardMode='url-sip-skip-history' WHERE forwardMode='url-sip'", + "UPDATE `Form` SET `forwardMode`='url-sip-skip-history' WHERE `forwardMode`='url-sip'", ], '19.7.2' => [ diff --git a/extension/Classes/Core/Delete.php b/extension/Classes/Core/Delete.php index 9cb687b8..6e9937c5 100644 --- a/extension/Classes/Core/Delete.php +++ b/extension/Classes/Core/Delete.php @@ -79,12 +79,12 @@ class Delete { } // Read record first. - $row = $this->db->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_0_1, [$recordId]); + $row = $this->db->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_0_1, [$recordId]); if (count($row) > 0) { $this->deleteReferencedFiles($row, $tableName, $primaryKey); - $this->db->sql("DELETE FROM $tableName WHERE $primaryKey =? LIMIT 1", ROW_REGULAR, [$recordId]); + $this->db->sql("DELETE FROM `$tableName` WHERE `$primaryKey` =? LIMIT 1", ROW_REGULAR, [$recordId]); } else { throw new \UserFormException( json_encode([ERROR_MESSAGE_TO_USER => 'Record not found in table', ERROR_MESSAGE_TO_DEVELOPER => "Record $recordId not found in table '$tableName'."]), @@ -124,7 +124,7 @@ class Delete { // check if there are other records referencing the same file: do not delete the file now. // This check won't find duplicates, if they are spread over different columns or tables. - $samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM $tableName WHERE $key LIKE ?", ROW_EXPECT_1, [$file]); + $samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM `$tableName` WHERE `$key` LIKE ?", ROW_EXPECT_1, [$file]); if ($samePathFileName['cnt'] === 1) { HelperFile::unlink($file); $this->db->deleteSplitFileAndRecord($row[$primaryKey], $tableName); diff --git a/extension/Classes/Core/Exception/AbstractException.php b/extension/Classes/Core/Exception/AbstractException.php index 02ed06a3..bc2b28a2 100644 --- a/extension/Classes/Core/Exception/AbstractException.php +++ b/extension/Classes/Core/Exception/AbstractException.php @@ -279,7 +279,7 @@ class AbstractException extends \Exception { $linkFormElement = ''; try { $db = new Database(); - $sql = "SELECT id FROM Form WHERE name='" . $storeSystem[SYSTEM_FORM] . "'"; + $sql = "SELECT `id` FROM `Form` WHERE `name`='" . $storeSystem[SYSTEM_FORM] . "'"; $r = $db->sql($sql, ROW_EXPECT_0_1); if (!is_numeric($r[F_ID])) { diff --git a/extension/Classes/Core/Form/Dirty.php b/extension/Classes/Core/Form/Dirty.php index b8039fa2..53c1ec00 100644 --- a/extension/Classes/Core/Form/Dirty.php +++ b/extension/Classes/Core/Form/Dirty.php @@ -125,7 +125,7 @@ class Dirty { $this->dbIndexData = empty($sipVars[PARAM_DB_INDEX_DATA]) ? $this->store->getVar(SYSTEM_DB_INDEX_DATA, STORE_SYSTEM) : $sipVars[PARAM_DB_INDEX_DATA]; $this->doDbArray($this->dbIndexData, $this->dbIndexQfq); - $tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT tableName, primaryKey, dirtyMode, recordLockTimeoutSeconds FROM Form WHERE name=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'"); + $tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `tableName`, `primaryKey`, `dirtyMode`, `recordLockTimeoutSeconds` FROM `Form` WHERE `name`=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'"); if (empty($tableVars[F_PRIMARY_KEY])) { $tableVars[F_PRIMARY_KEY] = F_PRIMARY_KEY_DEFAULT; } @@ -208,7 +208,7 @@ class Dirty { */ private function getRecordDirty($tableName, $recordId) { - $recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Dirty AS d WHERE d.tableName LIKE ? AND recordId=? ", + $recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Dirty` AS d WHERE `d`.`tableName` LIKE ? AND `recordId`=? ", ROW_EXPECT_0_1, [$tableName, $recordId]); // Check if the record is timed out - owner doesn't matter. @@ -286,12 +286,12 @@ class Dirty { $primaryKey = $tableVars[F_PRIMARY_KEY]; $formDirtyMode = $tableVars[F_DIRTY_MODE]; - $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); + $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); # Dirty workaround: setting the 'expired timestamp' minus 1 second guarantees that the client ask for relock always if the timeout is expired. $expire = date('Y-m-d H:i:s', strtotime("+" . $tableVars[F_RECORD_LOCK_TIMEOUT_SECONDS] - 1 . " seconds")); // Write 'dirty' record - $this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO Dirty (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " . + $this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO `Dirty` (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " . "VALUES ( ?,?,?,?,?,?,?,?,?,?,? )", ROW_REGULAR, [$s, $tableName, $recordId, $expire, $recordHashMd5, $tabUniqId, $feUser, $this->client[CLIENT_COOKIE_QFQ], $formDirtyMode, $this->client[CLIENT_REMOTE_ADDRESS], date('YmdHis')]); @@ -320,7 +320,7 @@ class Dirty { return false; // If there is no recordHashMd5, the check is not possible. Always return 'not modified' (=ok) } - $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); + $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); $rcMd5 = OnArray::getMd5($record); @@ -477,7 +477,7 @@ class Dirty { */ private function deleteDirtyRecord($recordDirtyId) { - $cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM Dirty WHERE id=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]); + $cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM `Dirty` WHERE `id`=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]); if ($cnt != 1) { throw new \CodeException("Failed to delete dirty record id=" . $recordDirtyId, ERROR_DIRTY_DELETE_RECORD); } diff --git a/extension/Classes/Core/Form/DragAndDrop.php b/extension/Classes/Core/Form/DragAndDrop.php index 12abb017..7c9799c2 100644 --- a/extension/Classes/Core/Form/DragAndDrop.php +++ b/extension/Classes/Core/Form/DragAndDrop.php @@ -204,7 +204,7 @@ class DragAndDrop { return $data; } - $this->db->sql("UPDATE $tableName SET $orderColumn=? WHERE id=?", ROW_REGULAR, [$ordNew, $id]); + $this->db->sql("UPDATE `$tableName` SET `$orderColumn`=? WHERE `id`=?", ROW_REGULAR, [$ordNew, $id]); // Converting to string is necessary: JSON detects int else. $data[API_ELEMENT_UPDATE][DND_ORD_HTML_ID_PREFIX . $id][API_ELEMENT_CONTENT] = (string)$ordNew; diff --git a/extension/Classes/Core/Form/FormAction.php b/extension/Classes/Core/Form/FormAction.php index 352fc2df..37c82fc9 100644 --- a/extension/Classes/Core/Form/FormAction.php +++ b/extension/Classes/Core/Form/FormAction.php @@ -430,7 +430,7 @@ class FormAction { // Check if there is a column with the same name as the 'action'-FormElement. if ($flagFeAction && false !== $this->store->getVar($fe[FE_NAME], STORE_RECORD)) { // After an insert or update, propagate the (new) slave id to the master record. - $this->db->sql("UPDATE " . $this->primaryTableName . " SET " . $fe[FE_NAME] . " = $slaveId WHERE id = ? LIMIT 1", ROW_REGULAR, [$recordId]); + $this->db->sql("UPDATE `" . $this->primaryTableName . "` SET `" . $fe[FE_NAME] . "` = $slaveId WHERE `id` = ? LIMIT 1", ROW_REGULAR, [$recordId]); } } @@ -552,7 +552,7 @@ class FormAction { // will be used in sub paste's // $clipboard["_src_id"] = $newColumns[COLUMN_ID]; - $rowSrc = $this->db->sql("SELECT * FROM $recordSourceTable WHERE id=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]); + $rowSrc = $this->db->sql("SELECT * FROM `$recordSourceTable` WHERE `id`=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]); $this->checkNCopyFiles($rowSrc, $newColumns); @@ -603,11 +603,11 @@ class FormAction { foreach ($translateMap as $oldId => $newId) { - $row = $this->db->sql("SELECT $translateIdColumn FROM $tableName WHERE id=$newId", ROW_EXPECT_1); + $row = $this->db->sql("SELECT `$translateIdColumn` FROM `$tableName` WHERE `id`=$newId", ROW_EXPECT_1); if (!empty($row[$translateIdColumn])) { $newNewId = $translateMap[$row[$translateIdColumn]]; - $this->db->sql("UPDATE $tableName SET $translateIdColumn=$newNewId WHERE id=$newId LIMIT 1"); + $this->db->sql("UPDATE `$tableName` SET `$translateIdColumn`=$newNewId WHERE `id`=$newId LIMIT 1"); } } @@ -691,10 +691,10 @@ class FormAction { return (0); } - $keyString = implode(',', $keys); + $keyString = '`' . implode('`,`', $keys) . '`'; $valueString = implode(',', $placeholder); - $sql = "INSERT INTO $destTable ($keyString) VALUES ($valueString)"; + $sql = "INSERT INTO `$destTable` ($keyString) VALUES ($valueString)"; return $this->db->sql($sql, ROW_REGULAR, $values); diff --git a/extension/Classes/Core/QuickFormQuery.php b/extension/Classes/Core/QuickFormQuery.php index 0f9e3a3b..57c2c46c 100644 --- a/extension/Classes/Core/QuickFormQuery.php +++ b/extension/Classes/Core/QuickFormQuery.php @@ -766,7 +766,7 @@ class QuickFormQuery { $pageId = $this->store->getVar(TYPO3_PAGE_ID, STORE_TYPO3, SANITIZE_ALLOW_ALNUMX); $sessionId = session_id(); - $sql = "INSERT INTO FormSubmitLog (formData, sipData, clientIp, feUser, userAgent, formId, recordId, pageId, sessionId, created)" . + $sql = "INSERT INTO `FormSubmitLog` (`formData`, `sipData`, `clientIp`, `feUser`, `userAgent`, `formId`, `recordId`, `pageId`, `sessionId`, `created`)" . "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())"; $params = [$formData, $sipData, $clientIp, $feUser, $userAgent, $formId, $recordId, $pageId, $sessionId]; $this->dbArray[$this->dbIndexQfq]->sql($sql, ROW_REGULAR, $params); @@ -866,7 +866,7 @@ class QuickFormQuery { } # select clipboard records - $sql = "SELECT c.idSrc as id, c.xId FROM Clipboard AS c WHERE c.cookie='$cookieQfq' AND c.formIdPaste=$formId ORDER BY c.id"; + $sql = "SELECT c.idSrc as id, c.xId FROM `Clipboard` AS c WHERE `c`.`cookie`='$cookieQfq' AND `c`.`formIdPaste`=$formId ORDER BY `c`.`id`"; $arrClipboard = $this->dbArray[$this->dbIndexQfq]->sql($sql); // Process clipboard records. @@ -1006,7 +1006,7 @@ class QuickFormQuery { // Load form $constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below - $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1, + $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`$constant` LIKE ? AND `f`.`deleted`='no'", ROW_EXPECT_1, [$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.'); $form = $this->checkFormLogMode($form); @@ -1727,12 +1727,12 @@ class QuickFormQuery { $dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM); // Update bodytext - $sql = "UPDATE $dbT3.tt_content SET bodytext = ?, tstamp = UNIX_TIMESTAMP(NOW()) WHERE uid = ?"; + $sql = "UPDATE `$dbT3`.`tt_content` SET `bodytext` = ?, `tstamp` = UNIX_TIMESTAMP(NOW()) WHERE `uid` = ?"; $this->dbArray[$this->dbIndexData]->sql($sql, ROW_REGULAR, [$bodytext, $uid]); // Clear cache // Need to truncate cf_cache_pages because it is used to restore page-specific cache - $sql = "DELETE FROM $dbT3.cf_cache_pages WHERE 1"; + $sql = "DELETE FROM `$dbT3`.`cf_cache_pages`"; $this->dbArray[$this->dbIndexData]->sql($sql); $this->formSpec[F_FORWARD_MODE] = 'auto'; @@ -1902,7 +1902,7 @@ class QuickFormQuery { $view = Store::getVar(SETTING_TABLESORTER_VIEW, STORE_CLIENT, SANITIZE_ALLOW_ALLBUT); $rows = $this->dbArray[$this->dbIndexQfq]->sql( - 'SELECT sett.id, sett.readonly FROM ' . SETTING_TABLE_NAME . ' AS sett WHERE tableId=? AND name=? AND IF(?, public, feUser=? AND !public)', + 'SELECT `sett`.`id`, `sett`.`readonly` FROM `' . SETTING_TABLE_NAME . '` AS sett WHERE `tableId`=? AND `name`=? AND IF(?, public, feUser=? AND !public)', ROW_REGULAR, [$tableId, $name, $public, $feUser]); // Protect Setting 'Clear' @@ -1916,7 +1916,7 @@ class QuickFormQuery { if ($mode != SETTING_TABLESORTER_MODE_DELETE) { // Insert $this->dbArray[$this->dbIndexQfq]->sql( - 'INSERT INTO ' . SETTING_TABLE_NAME . ' (type, name, public, feUser, tableId, view) VALUES (?,?,?,?,?,?)', + 'INSERT INTO `' . SETTING_TABLE_NAME . '` (`type`, `name`, `public`, `feUser`, `tableId`, `view`) VALUES (?,?,?,?,?,?)', ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $name, $public, $feUser, $tableId, $view]); } break; @@ -1930,13 +1930,13 @@ class QuickFormQuery { if ($mode == SETTING_TABLESORTER_MODE_DELETE) { // Delete 'view' $this->dbArray[$this->dbIndexQfq]->sql( - 'DELETE FROM ' . SETTING_TABLE_NAME . ' WHERE id=?', + 'DELETE FROM `' . SETTING_TABLE_NAME . '` WHERE `id`=?', ROW_REGULAR, [$rows[0]['id']]); } else { // Update 'view' $this->dbArray[$this->dbIndexQfq]->sql( - 'UPDATE ' . SETTING_TABLE_NAME . ' SET view=? WHERE id=?', + 'UPDATE `' . SETTING_TABLE_NAME . '` SET `view`=? WHERE `id`=?', ROW_REGULAR, [$view, $rows[0]['id']]); } break; diff --git a/extension/Classes/Core/Report/Download.php b/extension/Classes/Core/Report/Download.php index b86e677e..73ce2f23 100644 --- a/extension/Classes/Core/Report/Download.php +++ b/extension/Classes/Core/Report/Download.php @@ -408,7 +408,7 @@ class Download { } $dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM); - $sql = "SELECT bodytext FROM $dbT3.tt_content WHERE uid = ?"; + $sql = "SELECT `bodytext` FROM `$dbT3`.`tt_content` WHERE `uid` = ?"; $tt_content = $this->db->sql($sql, ROW_EXPECT_1, [$uid]); $qfq = new QuickFormQuery([T3DATA_BODYTEXT => $tt_content[T3DATA_BODYTEXT]], false, false); diff --git a/extension/Classes/Core/Report/SendMail.php b/extension/Classes/Core/Report/SendMail.php index 810b1cdb..62f58da8 100644 --- a/extension/Classes/Core/Report/SendMail.php +++ b/extension/Classes/Core/Report/SendMail.php @@ -136,11 +136,14 @@ class SendMail { * @throws \CodeException * @throws \DbException * @throws \DownloadException - * @throws \UserFormException - * @throws \UserReportException * @throws \PhpOffice\PhpSpreadsheet\Exception * @throws \PhpOffice\PhpSpreadsheet\Reader\Exception * @throws \PhpOffice\PhpSpreadsheet\Writer\Exception + * @throws \Twig\Error\LoaderError + * @throws \Twig\Error\RuntimeError + * @throws \Twig\Error\SyntaxError + * @throws \UserFormException + * @throws \UserReportException */ private function sendEmail(array $mailConfig) { $args = array(); @@ -312,7 +315,7 @@ class SendMail { $log[] = empty($mailConfig[SENDMAIL_TOKEN_SRC]) ? 0 : $mailConfig[SENDMAIL_TOKEN_SRC]; $db = new Database(); - $db->sql('INSERT INTO MailLog (`receiver`, `cc`, `bcc`, `sender`, `subject`, `body`, `header`, `attach`, `grId`, `xId`, `xId2`, `xId3`, `src`, `modified`, `created`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW() )', ROW_REGULAR, $log); + $db->sql('INSERT INTO `MailLog` (`receiver`, `cc`, `bcc`, `sender`, `subject`, `body`, `header`, `attach`, `grId`, `xId`, `xId2`, `xId3`, `src`, `modified`, `created`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW() )', ROW_REGULAR, $log); } @@ -327,11 +330,14 @@ class SendMail { * @throws \CodeException * @throws \DbException * @throws \DownloadException - * @throws \UserFormException - * @throws \UserReportException * @throws \PhpOffice\PhpSpreadsheet\Exception * @throws \PhpOffice\PhpSpreadsheet\Reader\Exception * @throws \PhpOffice\PhpSpreadsheet\Writer\Exception + * @throws \Twig\Error\LoaderError + * @throws \Twig\Error\RuntimeError + * @throws \Twig\Error\SyntaxError + * @throws \UserFormException + * @throws \UserReportException */ private function attachmentsBuild(array $attachments) { $files = array(); diff --git a/extension/Classes/Core/Report/Tablesorter.php b/extension/Classes/Core/Report/Tablesorter.php index 66a838fc..e57b1835 100644 --- a/extension/Classes/Core/Report/Tablesorter.php +++ b/extension/Classes/Core/Report/Tablesorter.php @@ -108,8 +108,8 @@ class Tablesorter { private function getTableViewAsJson($tableId, $feUser) { // Sort list by public, name - $tablesorterViews = $this->db->sql("SELECT sett.name, sett.public, sett.tableId, sett.view FROM " . SETTING_TABLE_NAME . - " AS sett WHERE type=? AND tableId=? AND ((!public AND feUser=?) OR public) ORDER BY sett.public DESC, sett.name, sett.id", + $tablesorterViews = $this->db->sql("SELECT `sett`.`name`, `sett`.`public`, `sett`.`tableId`, `sett`.`view` FROM `" . SETTING_TABLE_NAME . + "` AS sett WHERE `type`=? AND `tableId`=? AND ((!`public` AND `feUser`=?) OR `public`) ORDER BY `sett`.`public` DESC, `sett`.`name`, `sett`.`id`", ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $tableId, $feUser]); foreach ($tablesorterViews AS $key => $row) { diff --git a/extension/Classes/Core/Save.php b/extension/Classes/Core/Save.php index 96c09556..396a02d4 100644 --- a/extension/Classes/Core/Save.php +++ b/extension/Classes/Core/Save.php @@ -137,7 +137,7 @@ class Save { $this->store->setStore($row, STORE_PARENT_RECORD, true); $this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible. - $record = $this->db->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE id=' . $row[$idName], ROW_EXPECT_1); + $record = $this->db->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE `id`=' . $row[$idName], ROW_EXPECT_1); $this->store->setStore($record, STORE_RECORD, true); // Fake current recordId @@ -369,7 +369,7 @@ class Save { $paramList = substr($paramList, 0, strlen($paramList) - 2); $columnList = '`' . implode('`, `', array_keys($values)) . '`'; - $sql = "INSERT INTO $tableName ( " . $columnList . " ) VALUES ( " . $paramList . ' )'; + $sql = "INSERT INTO `$tableName` ( " . $columnList . " ) VALUES ( " . $paramList . ' )'; $rc = $this->db->sql($sql, ROW_REGULAR, array_values($values)); @@ -911,7 +911,7 @@ class Save { // Import the data foreach ($worksheetData AS $rowIndex => $row) { - $columnList = implode(',', $columnListArr); + $columnList = '`' . implode('`,`', $columnListArr) . '`'; $paramPlaceholders = str_repeat('?,', count($worksheetData[0]) - 1) . '?'; $insertSql = "INSERT INTO `$tableName` ($columnList) VALUES ($paramPlaceholders)"; $this->db->sql($insertSql, ROW_REGULAR, $row); @@ -1121,7 +1121,7 @@ class Save { // Create DB records according to the extracted filenames. $tableName = TABLE_NAME_SPLIT; - $sql = "INSERT INTO $tableName (`tableName`, `xId`, `pathFilename`) VALUES (?,?,?)"; + $sql = "INSERT INTO `$tableName` (`tableName`, `xId`, `pathFilename`) VALUES (?,?,?)"; // 1) Move split files to final location. 2) Created records to reference each split file. foreach ($files as $file) { diff --git a/extension/Classes/Core/Store/FillStoreForm.php b/extension/Classes/Core/Store/FillStoreForm.php index 5845525f..bb794356 100644 --- a/extension/Classes/Core/Store/FillStoreForm.php +++ b/extension/Classes/Core/Store/FillStoreForm.php @@ -72,7 +72,7 @@ class FillStoreForm { if (!empty($form) && !defined('PHPUNIT_QFQ')) { // To make STORE_RECORD available at a very early stage. $recordId = $this->store->getVar(SIP_RECORD_ID, STORE_SIP, SANITIZE_ALLOW_DIGIT); - $tableFromFormSql = "SELECT tableName, primaryKey FROM Form WHERE name=?"; + $tableFromFormSql = "SELECT `tableName`, `primaryKey` FROM `Form` WHERE `name`=?"; $form = $this->dbArray[$this->dbIndexQfq]->sql($tableFromFormSql, ROW_EXPECT_1, [$form]); if (empty($form[F_PRIMARY_KEY])) { diff --git a/extension/Classes/Core/Store/Store.php b/extension/Classes/Core/Store/Store.php index 7e645409..c6ec92b6 100644 --- a/extension/Classes/Core/Store/Store.php +++ b/extension/Classes/Core/Store/Store.php @@ -918,7 +918,7 @@ class Store { $primaryKey = F_PRIMARY_KEY_DEFAULT; } - $record = $db->sql("SELECT * FROM $tableName WHERE $primaryKey = ?", ROW_EXPECT_1, [$recordId]); + $record = $db->sql("SELECT * FROM `$tableName` WHERE `$primaryKey` = ?", ROW_EXPECT_1, [$recordId]); self::setStore($record, $store, true); } } -- GitLab