Commit e32d8e91 authored by Carsten  Rose's avatar Carsten Rose

Fixes #5869 Tablenames not properly escaped

parent 671269ad
Pipeline #3197 passed with stages
in 3 minutes and 38 seconds
...@@ -253,7 +253,7 @@ abstract class AbstractBuildForm { ...@@ -253,7 +253,7 @@ abstract class AbstractBuildForm {
$this->store->setStore($row, STORE_PARENT_RECORD, true); $this->store->setStore($row, STORE_PARENT_RECORD, true);
$this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible. $this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible.
$record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE id=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1); $record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE `id`=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1);
$this->store->setStore($record, STORE_RECORD, true); $this->store->setStore($record, STORE_RECORD, true);
$jsonTmp = array(); $jsonTmp = array();
...@@ -555,7 +555,7 @@ abstract class AbstractBuildForm { ...@@ -555,7 +555,7 @@ abstract class AbstractBuildForm {
$record = array(); $record = array();
if ($recordId != 0) { if ($recordId != 0) {
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to load not found."); $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to load not found.");
} }
return OnArray::getMd5($record); return OnArray::getMd5($record);
...@@ -742,7 +742,7 @@ abstract class AbstractBuildForm { ...@@ -742,7 +742,7 @@ abstract class AbstractBuildForm {
$primaryKey = $this->formSpec[F_PRIMARY_KEY]; $primaryKey = $this->formSpec[F_PRIMARY_KEY];
if ($recordId > 0 && $this->store->getVar($primaryKey, STORE_RECORD) === false) { if ($recordId > 0 && $this->store->getVar($primaryKey, STORE_RECORD) === false) {
$tableName = $this->formSpec[F_TABLE_NAME]; $tableName = $this->formSpec[F_TABLE_NAME];
$row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey = ?", ROW_EXPECT_1, $row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey` = ?", ROW_EXPECT_1,
array($recordId), "Form '" . $this->formSpec[F_NAME] . "' failed to load record '$primaryKey'='$recordId' from table '" . array($recordId), "Form '" . $this->formSpec[F_NAME] . "' failed to load record '$primaryKey'='$recordId' from table '" .
$this->formSpec[F_TABLE_NAME] . "'."); $this->formSpec[F_TABLE_NAME] . "'.");
$this->store->setStore($row, STORE_RECORD); $this->store->setStore($row, STORE_RECORD);
...@@ -2108,7 +2108,7 @@ abstract class AbstractBuildForm { ...@@ -2108,7 +2108,7 @@ abstract class AbstractBuildForm {
} elseif (!empty($formElement[SUBRECORD_PARAMETER_FORM])) { } elseif (!empty($formElement[SUBRECORD_PARAMETER_FORM])) {
// Read table from form specified in subrecord // Read table from form specified in subrecord
$formName = $formElement[SUBRECORD_PARAMETER_FORM]; $formName = $formElement[SUBRECORD_PARAMETER_FORM];
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f." . F_NAME . " LIKE ? AND f.deleted='no'", $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`" . F_NAME . "` LIKE ? AND `f`.`deleted`='no'",
ROW_REGULAR, [$formName]); ROW_REGULAR, [$formName]);
if (count($form) > 0) { if (count($form) > 0) {
$dndTable = $form[0][F_TABLE_NAME]; $dndTable = $form[0][F_TABLE_NAME];
...@@ -2371,7 +2371,7 @@ abstract class AbstractBuildForm { ...@@ -2371,7 +2371,7 @@ abstract class AbstractBuildForm {
* @throws \UserFormException * @throws \UserFormException
*/ */
private function getFormTable($formName) { private function getFormTable($formName) {
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT " . F_TABLE_NAME . " FROM Form AS f WHERE f.name = ?", ROW_EXPECT_0_1, [$formName]); $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `" . F_TABLE_NAME . "` FROM `Form` AS f WHERE `f`.`name` = ?", ROW_EXPECT_0_1, [$formName]);
if (isset($row[F_TABLE_NAME])) { if (isset($row[F_TABLE_NAME])) {
return $row[F_TABLE_NAME]; return $row[F_TABLE_NAME];
} }
......
...@@ -252,7 +252,7 @@ class BuildFormBootstrap extends AbstractBuildForm { ...@@ -252,7 +252,7 @@ class BuildFormBootstrap extends AbstractBuildForm {
break; break;
case 'formElement': case 'formElement':
if (false !== ($formId = $this->store->getVar(FE_FORM_ID, STORE_SIP . STORE_RECORD))) { if (false !== ($formId = $this->store->getVar(FE_FORM_ID, STORE_SIP . STORE_RECORD))) {
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT f.name FROM Form AS f WHERE id=" . $formId, ROW_EXPECT_1); $row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `f`.`name` FROM `Form` AS f WHERE `id`=" . $formId, ROW_EXPECT_1);
$form = current($row); $form = current($row);
} }
break; break;
......
...@@ -63,15 +63,15 @@ const RETURN_URL = 'return_url'; ...@@ -63,15 +63,15 @@ const RETURN_URL = 'return_url';
const RETURN_SIP = 'return_sip'; const RETURN_SIP = 'return_sip';
const RETURN_ARRAY = 'return_array'; const RETURN_ARRAY = 'return_array';
const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ?"; const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ?";
const SQL_FORM_ELEMENT_RAW = "SELECT * FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; const SQL_FORM_ELEMENT_RAW = "SELECT * FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.feIdContainer = ? AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS fe WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`feIdContainer` = ? AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT fe.id, fe.feIdContainer, fe.name, fe.value, fe.label, fe.type, fe.encode, fe.checkType, fe.checkPattern, fe.mode, fe.modeSql, fe.parameter, fe.dynamicUpdate FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT `fe`.`id`, `fe`.`feIdContainer`, `fe`.`name`, `fe`.`value`, `fe`.`label`, `fe`.`type`, `fe`.`encode`, `fe`.`checkType`, `fe`.`checkPattern`, `fe`.`mode`, `fe`.`modeSql`, `fe`.`parameter`, `fe`.`dynamicUpdate` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'native' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT fe.id, fe.name, fe.label, fe.maxLength, fe.parameter FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' ORDER BY fe.ord, fe.id"; const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT `fe`.`id`, `fe`.`name`, `fe`.`label`, `fe`.`maxLength`, `fe`.`parameter` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ? AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' "; const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ? AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' ";
//const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes'"; //const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes'";
const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND (fe.class = 'native' OR (fe.class = 'container' AND fe.type='pill')) AND fe.enabled='yes'"; const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT `fe`.*, IFNULL(`feTg`.`maxLength`,0) AS _tgCopies FROM `FormElement` AS fe LEFT JOIN `FormElement` AS feTg ON `fe`.`feIdContainer`=`feTg`.`id` AND `feTg`.`deleted` = 'no' AND `feTg`.`class` = 'container' AND `feTg`.`type`='templateGroup' AND `feTg`.`enabled`='yes' WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND (`fe`.`class` = 'native' OR (`fe`.`class` = 'container' AND `fe`.`type`='pill')) AND `fe`.`enabled`='yes'";
const NAME_TG_COPIES = '_tgCopies'; // Number of templatesGroup copies to create on the fly. Also used in SQL_FORM_ELEMENT_NATIVE_TG_COUNT. const NAME_TG_COPIES = '_tgCopies'; // Number of templatesGroup copies to create on the fly. Also used in SQL_FORM_ELEMENT_NATIVE_TG_COUNT.
const FE_TG_INDEX = '_tgIndex'; // Index of the current copy of a templateGroup FE. const FE_TG_INDEX = '_tgIndex'; // Index of the current copy of a templateGroup FE.
......
...@@ -1055,7 +1055,7 @@ class Database { ...@@ -1055,7 +1055,7 @@ class Database {
*/ */
public function deleteSplitFileAndRecord($xId, $tableName) { public function deleteSplitFileAndRecord($xId, $tableName) {
$sql = 'SELECT pathFileName FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?'; $sql = 'SELECT `pathFileName` FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?';
$data = $this->sql($sql, ROW_REGULAR, [$tableName, $xId]); $data = $this->sql($sql, ROW_REGULAR, [$tableName, $xId]);
foreach ($data AS $row) { foreach ($data AS $row) {
...@@ -1064,7 +1064,7 @@ class Database { ...@@ -1064,7 +1064,7 @@ class Database {
} }
} }
$this->sql('DELETE FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?', ROW_REGULAR, [$tableName, $xId]); $this->sql('DELETE FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?', ROW_REGULAR, [$tableName, $xId]);
} }
} }
\ No newline at end of file
...@@ -201,14 +201,14 @@ class DatabaseUpdate { ...@@ -201,14 +201,14 @@ class DatabaseUpdate {
if (defined('PHPUNIT_QFQ')) { if (defined('PHPUNIT_QFQ')) {
$res = array(); $res = array();
} else { } else {
$res = $this->db->sql("SELECT uid, header, bodytext FROM " . $dbT3 . ".tt_content WHERE CType='qfq_qfq' AND deleted=0;"); $res = $this->db->sql("SELECT `uid`, `header`, `bodytext` FROM `" . $dbT3 . "`.`tt_content` WHERE `CType`='qfq_qfq' AND `deleted`=0;");
} }
foreach ($res as $i => $tt_content) { foreach ($res as $i => $tt_content) {
$replaced_placeholder = preg_replace($patterns, '${1}' . $placeholder . '${2}', $tt_content['bodytext']); $replaced_placeholder = preg_replace($patterns, '${1}' . $placeholder . '${2}', $tt_content['bodytext']);
if (strpos($replaced_placeholder, $placeholder) !== false) { if (strpos($replaced_placeholder, $placeholder) !== false) {
if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) { if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) {
$replace = str_replace($placeholder, '_', $replaced_placeholder); $replace = str_replace($placeholder, '_', $replaced_placeholder);
$query = "UPDATE " . $dbT3 . ".tt_content SET bodytext='" . addslashes($replace) . "' WHERE uid='" . $tt_content['uid'] . "'"; $query = "UPDATE `" . $dbT3 . "`.`tt_content` SET `bodytext`='" . addslashes($replace) . "' WHERE `uid`='" . $tt_content['uid'] . "'";
$this->db->sql($query); $this->db->sql($query);
} }
$message_fe .= '<hr><b>' . $tt_content['header'] . ' [uid:' . $tt_content['uid'] . ']</b><br><br>'; $message_fe .= '<hr><b>' . $tt_content['header'] . ' [uid:' . $tt_content['uid'] . ']</b><br><br>';
...@@ -226,7 +226,7 @@ class DatabaseUpdate { ...@@ -226,7 +226,7 @@ class DatabaseUpdate {
if (defined('PHPUNIT_QFQ')) { if (defined('PHPUNIT_QFQ')) {
$res = array(); $res = array();
} else { } else {
$res = $this->db->sql("SELECT fe.id, fe.name, fe.value, fe.note FROM FormElement as fe WHERE fe.type='note' AND fe.value LIKE '#!report%' OR fe.note LIKE '%#!report%';"); $res = $this->db->sql("SELECT `fe`.`id`, `fe`.`name`, `fe`.`value`, `fe`.`note` FROM `FormElement` AS fe WHERE `fe`.`type`='note' AND `fe`.`value` LIKE '#!report%' OR `fe`.`note` LIKE '%#!report%';");
} }
foreach ($res as $i => $tt_content) { foreach ($res as $i => $tt_content) {
...@@ -235,7 +235,7 @@ class DatabaseUpdate { ...@@ -235,7 +235,7 @@ class DatabaseUpdate {
if (strpos($replaced_placeholder, $placeholder) !== false) { if (strpos($replaced_placeholder, $placeholder) !== false) {
if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) { if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) {
$replace = str_replace($placeholder, '_', $replaced_placeholder); $replace = str_replace($placeholder, '_', $replaced_placeholder);
$query = "UPDATE FormElement SET " . $columnName . "='" . addslashes($replace) . "' WHERE id='" . $tt_content['id'] . "'"; $query = "UPDATE `FormElement` SET `" . $columnName . "`='" . addslashes($replace) . "' WHERE `id`='" . $tt_content['id'] . "'";
$this->db->sql($query); $this->db->sql($query);
} }
$message_ttc .= '<hr><b>' . $tt_content['name'] . ' [id:' . $tt_content['id'] . '] (FormElement.' . $columnName . ')</b><br><br>'; $message_ttc .= '<hr><b>' . $tt_content['name'] . ' [id:' . $tt_content['id'] . '] (FormElement.' . $columnName . ')</b><br><br>';
......
...@@ -23,7 +23,7 @@ $UPDATE_ARRAY = array( ...@@ -23,7 +23,7 @@ $UPDATE_ARRAY = array(
], ],
'0.15.0' => [ '0.15.0' => [
"UPDATE FormElement SET parameter = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')", "UPDATE `FormElement` SET `parameter` = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')",
"ALTER TABLE `FormElement` CHANGE `placeholder` `placeholder` VARCHAR( 2048 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '' ", "ALTER TABLE `FormElement` CHANGE `placeholder` `placeholder` VARCHAR( 2048 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '' ",
], ],
...@@ -44,7 +44,7 @@ $UPDATE_ARRAY = array( ...@@ -44,7 +44,7 @@ $UPDATE_ARRAY = array(
'0.18.0' => [ '0.18.0' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'page', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'page', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
"UPDATE Form SET forwardMode='url' WHERE forwardMode='page'", "UPDATE `Form` SET `forwardMode`='url' WHERE `forwardMode`='page'",
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
], ],
...@@ -57,7 +57,7 @@ $UPDATE_ARRAY = array( ...@@ -57,7 +57,7 @@ $UPDATE_ARRAY = array(
"ALTER TABLE `Form` ADD `dirtyMode` ENUM( 'exclusive', 'advisory', 'none' ) NOT NULL DEFAULT 'exclusive' AFTER `requiredParameter`", "ALTER TABLE `Form` ADD `dirtyMode` ENUM( 'exclusive', 'advisory', 'none' ) NOT NULL DEFAULT 'exclusive' AFTER `requiredParameter`",
"ALTER TABLE `Form` ADD `recordLockTimeoutSeconds` INT NOT NULL DEFAULT '900' AFTER `parameter`", "ALTER TABLE `Form` ADD `recordLockTimeoutSeconds` INT NOT NULL DEFAULT '900' AFTER `parameter`",
"CREATE TABLE IF NOT EXISTS `Period` (`id` INT(11) NOT NULL AUTO_INCREMENT, `start` DATETIME NOT NULL, `name` VARCHAR(255) NOT NULL, `modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `created` DATETIME NOT NULL, PRIMARY KEY (`id`), KEY `start` (`start`)) ENGINE = InnoDB DEFAULT CHARSET = utf8 AUTO_INCREMENT = 0;", "CREATE TABLE IF NOT EXISTS `Period` (`id` INT(11) NOT NULL AUTO_INCREMENT, `start` DATETIME NOT NULL, `name` VARCHAR(255) NOT NULL, `modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `created` DATETIME NOT NULL, PRIMARY KEY (`id`), KEY `start` (`start`)) ENGINE = InnoDB DEFAULT CHARSET = utf8 AUTO_INCREMENT = 0;",
"INSERT INTO Period (start, name, created) VALUES (NOW(), 'dummy', NOW());" "INSERT INTO `Period` (`start`, `name`, `created`) VALUES (NOW(), 'dummy', NOW());"
], ],
'0.19.2' => [ '0.19.2' => [
...@@ -79,7 +79,7 @@ $UPDATE_ARRAY = array( ...@@ -79,7 +79,7 @@ $UPDATE_ARRAY = array(
'0.21.0' => [ '0.21.0' => [
"ALTER TABLE `Form` CHANGE `requiredParameter` `requiredParameterNew` VARCHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT ''", "ALTER TABLE `Form` CHANGE `requiredParameter` `requiredParameterNew` VARCHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT ''",
"ALTER TABLE `Form` ADD `requiredParameterEdit` VARCHAR( 255 ) NOT NULL AFTER `requiredParameterNew`", "ALTER TABLE `Form` ADD `requiredParameterEdit` VARCHAR( 255 ) NOT NULL AFTER `requiredParameterNew`",
"UPDATE Form SET requiredParameterEdit=requiredParameterNew", "UPDATE `Form` SET `requiredParameterEdit`=requiredParameterNew",
], ],
'0.24.0' => [ '0.24.0' => [
...@@ -103,7 +103,7 @@ $UPDATE_ARRAY = array( ...@@ -103,7 +103,7 @@ $UPDATE_ARRAY = array(
], ],
'0.25.11' => [ '0.25.11' => [
"UPDATE FormElement SET checkType = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''", "UPDATE `FormElement` SET `checkType` = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''",
"ALTER TABLE `FormElement` CHANGE `checkType` `checkType` ENUM('alnumx','digit','numerical','email','pattern','allbut','all') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'alnumx';", "ALTER TABLE `FormElement` CHANGE `checkType` `checkType` ENUM('alnumx','digit','numerical','email','pattern','allbut','all') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'alnumx';",
], ],
...@@ -120,7 +120,7 @@ $UPDATE_ARRAY = array( ...@@ -120,7 +120,7 @@ $UPDATE_ARRAY = array(
'18.6.0' => [ '18.6.0' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'client','no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'client','no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
"UPDATE `Form` SET forwardMode='auto' WHERE forwardMode='client'", "UPDATE `Form` SET `forwardMode`='auto' WHERE `forwardMode`='client'",
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'close', 'no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'close', 'no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';",
], ],
...@@ -147,7 +147,7 @@ $UPDATE_ARRAY = array( ...@@ -147,7 +147,7 @@ $UPDATE_ARRAY = array(
'19.3.2' => [ '19.3.2' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto','close','no','url','url-skip-history','url-sip','url-sip-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';", "ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto','close','no','url','url-skip-history','url-sip','url-sip-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';",
"UPDATE `Form` SET forwardMode='url-sip-skip-history' WHERE forwardMode='url-sip'", "UPDATE `Form` SET `forwardMode`='url-sip-skip-history' WHERE `forwardMode`='url-sip'",
], ],
'19.7.2' => [ '19.7.2' => [
......
...@@ -79,12 +79,12 @@ class Delete { ...@@ -79,12 +79,12 @@ class Delete {
} }
// Read record first. // Read record first.
$row = $this->db->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_0_1, [$recordId]); $row = $this->db->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_0_1, [$recordId]);
if (count($row) > 0) { if (count($row) > 0) {
$this->deleteReferencedFiles($row, $tableName, $primaryKey); $this->deleteReferencedFiles($row, $tableName, $primaryKey);
$this->db->sql("DELETE FROM $tableName WHERE $primaryKey =? LIMIT 1", ROW_REGULAR, [$recordId]); $this->db->sql("DELETE FROM `$tableName` WHERE `$primaryKey` =? LIMIT 1", ROW_REGULAR, [$recordId]);
} else { } else {
throw new \UserFormException( throw new \UserFormException(
json_encode([ERROR_MESSAGE_TO_USER => 'Record not found in table', ERROR_MESSAGE_TO_DEVELOPER => "Record $recordId not found in table '$tableName'."]), json_encode([ERROR_MESSAGE_TO_USER => 'Record not found in table', ERROR_MESSAGE_TO_DEVELOPER => "Record $recordId not found in table '$tableName'."]),
...@@ -124,7 +124,7 @@ class Delete { ...@@ -124,7 +124,7 @@ class Delete {
// check if there are other records referencing the same file: do not delete the file now. // check if there are other records referencing the same file: do not delete the file now.
// This check won't find duplicates, if they are spread over different columns or tables. // This check won't find duplicates, if they are spread over different columns or tables.
$samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM $tableName WHERE $key LIKE ?", ROW_EXPECT_1, [$file]); $samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM `$tableName` WHERE `$key` LIKE ?", ROW_EXPECT_1, [$file]);
if ($samePathFileName['cnt'] === 1) { if ($samePathFileName['cnt'] === 1) {
HelperFile::unlink($file); HelperFile::unlink($file);
$this->db->deleteSplitFileAndRecord($row[$primaryKey], $tableName); $this->db->deleteSplitFileAndRecord($row[$primaryKey], $tableName);
......
...@@ -279,7 +279,7 @@ class AbstractException extends \Exception { ...@@ -279,7 +279,7 @@ class AbstractException extends \Exception {
$linkFormElement = ''; $linkFormElement = '';
try { try {
$db = new Database(); $db = new Database();
$sql = "SELECT id FROM Form WHERE name='" . $storeSystem[SYSTEM_FORM] . "'"; $sql = "SELECT `id` FROM `Form` WHERE `name`='" . $storeSystem[SYSTEM_FORM] . "'";
$r = $db->sql($sql, ROW_EXPECT_0_1); $r = $db->sql($sql, ROW_EXPECT_0_1);
if (!is_numeric($r[F_ID])) { if (!is_numeric($r[F_ID])) {
......
...@@ -125,7 +125,7 @@ class Dirty { ...@@ -125,7 +125,7 @@ class Dirty {
$this->dbIndexData = empty($sipVars[PARAM_DB_INDEX_DATA]) ? $this->store->getVar(SYSTEM_DB_INDEX_DATA, STORE_SYSTEM) : $sipVars[PARAM_DB_INDEX_DATA]; $this->dbIndexData = empty($sipVars[PARAM_DB_INDEX_DATA]) ? $this->store->getVar(SYSTEM_DB_INDEX_DATA, STORE_SYSTEM) : $sipVars[PARAM_DB_INDEX_DATA];
$this->doDbArray($this->dbIndexData, $this->dbIndexQfq); $this->doDbArray($this->dbIndexData, $this->dbIndexQfq);
$tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT tableName, primaryKey, dirtyMode, recordLockTimeoutSeconds FROM Form WHERE name=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'"); $tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `tableName`, `primaryKey`, `dirtyMode`, `recordLockTimeoutSeconds` FROM `Form` WHERE `name`=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'");
if (empty($tableVars[F_PRIMARY_KEY])) { if (empty($tableVars[F_PRIMARY_KEY])) {
$tableVars[F_PRIMARY_KEY] = F_PRIMARY_KEY_DEFAULT; $tableVars[F_PRIMARY_KEY] = F_PRIMARY_KEY_DEFAULT;
} }
...@@ -208,7 +208,7 @@ class Dirty { ...@@ -208,7 +208,7 @@ class Dirty {
*/ */
private function getRecordDirty($tableName, $recordId) { private function getRecordDirty($tableName, $recordId) {
$recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Dirty AS d WHERE d.tableName LIKE ? AND recordId=? ", $recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Dirty` AS d WHERE `d`.`tableName` LIKE ? AND `recordId`=? ",
ROW_EXPECT_0_1, [$tableName, $recordId]); ROW_EXPECT_0_1, [$tableName, $recordId]);
// Check if the record is timed out - owner doesn't matter. // Check if the record is timed out - owner doesn't matter.
...@@ -286,12 +286,12 @@ class Dirty { ...@@ -286,12 +286,12 @@ class Dirty {
$primaryKey = $tableVars[F_PRIMARY_KEY]; $primaryKey = $tableVars[F_PRIMARY_KEY];
$formDirtyMode = $tableVars[F_DIRTY_MODE]; $formDirtyMode = $tableVars[F_DIRTY_MODE];
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
# Dirty workaround: setting the 'expired timestamp' minus 1 second guarantees that the client ask for relock always if the timeout is expired. # Dirty workaround: setting the 'expired timestamp' minus 1 second guarantees that the client ask for relock always if the timeout is expired.
$expire = date('Y-m-d H:i:s', strtotime("+" . $tableVars[F_RECORD_LOCK_TIMEOUT_SECONDS] - 1 . " seconds")); $expire = date('Y-m-d H:i:s', strtotime("+" . $tableVars[F_RECORD_LOCK_TIMEOUT_SECONDS] - 1 . " seconds"));
// Write 'dirty' record // Write 'dirty' record
$this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO Dirty (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " . $this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO `Dirty` (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " .
"VALUES ( ?,?,?,?,?,?,?,?,?,?,? )", ROW_REGULAR, "VALUES ( ?,?,?,?,?,?,?,?,?,?,? )", ROW_REGULAR,
[$s, $tableName, $recordId, $expire, $recordHashMd5, $tabUniqId, $feUser, $this->client[CLIENT_COOKIE_QFQ], $formDirtyMode, [$s, $tableName, $recordId, $expire, $recordHashMd5, $tabUniqId, $feUser, $this->client[CLIENT_COOKIE_QFQ], $formDirtyMode,
$this->client[CLIENT_REMOTE_ADDRESS], date('YmdHis')]); $this->client[CLIENT_REMOTE_ADDRESS], date('YmdHis')]);
...@@ -320,7 +320,7 @@ class Dirty { ...@@ -320,7 +320,7 @@ class Dirty {
return false; // If there is no recordHashMd5, the check is not possible. Always return 'not modified' (=ok) return false; // If there is no recordHashMd5, the check is not possible. Always return 'not modified' (=ok)
} }
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found."); $record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
$rcMd5 = OnArray::getMd5($record); $rcMd5 = OnArray::getMd5($record);
...@@ -477,7 +477,7 @@ class Dirty { ...@@ -477,7 +477,7 @@ class Dirty {
*/ */
private function deleteDirtyRecord($recordDirtyId) { private function deleteDirtyRecord($recordDirtyId) {
$cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM Dirty WHERE id=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]); $cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM `Dirty` WHERE `id`=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]);
if ($cnt != 1) { if ($cnt != 1) {
throw new \CodeException("Failed to delete dirty record id=" . $recordDirtyId, ERROR_DIRTY_DELETE_RECORD); throw new \CodeException("Failed to delete dirty record id=" . $recordDirtyId, ERROR_DIRTY_DELETE_RECORD);
} }
......
...@@ -204,7 +204,7 @@ class DragAndDrop { ...@@ -204,7 +204,7 @@ class DragAndDrop {
return $data; return $data;
} }
$this->db->sql("UPDATE $tableName SET $orderColumn=? WHERE id=?", ROW_REGULAR, [$ordNew, $id]); $this->db->sql("UPDATE `$tableName` SET `$orderColumn`=? WHERE `id`=?", ROW_REGULAR, [$ordNew, $id]);
// Converting to string is necessary: JSON detects int else. // Converting to string is necessary: JSON detects int else.
$data[API_ELEMENT_UPDATE][DND_ORD_HTML_ID_PREFIX . $id][API_ELEMENT_CONTENT] = (string)$ordNew; $data[API_ELEMENT_UPDATE][DND_ORD_HTML_ID_PREFIX . $id][API_ELEMENT_CONTENT] = (string)$ordNew;
......
...@@ -430,7 +430,7 @@ class FormAction { ...@@ -430,7 +430,7 @@ class FormAction {
// Check if there is a column with the same name as the 'action'-FormElement. // Check if there is a column with the same name as the 'action'-FormElement.
if ($flagFeAction && false !== $this->store->getVar($fe[FE_NAME], STORE_RECORD)) { if ($flagFeAction && false !== $this->store->getVar($fe[FE_NAME], STORE_RECORD)) {
// After an insert or update, propagate the (new) slave id to the master record. // After an insert or update, propagate the (new) slave id to the master record.
$this->db->sql("UPDATE " . $this->primaryTableName . " SET " . $fe[FE_NAME] . " = $slaveId WHERE id = ? LIMIT 1", ROW_REGULAR, [$recordId]); $this->db->sql("UPDATE `" . $this->primaryTableName . "` SET `" . $fe[FE_NAME] . "` = $slaveId WHERE `id` = ? LIMIT 1", ROW_REGULAR, [$recordId]);
} }
} }
...@@ -552,7 +552,7 @@ class FormAction { ...@@ -552,7 +552,7 @@ class FormAction {
// will be used in sub paste's // will be used in sub paste's
// $clipboard["_src_id"] = $newColumns[COLUMN_ID]; // $clipboard["_src_id"] = $newColumns[COLUMN_ID];
$rowSrc = $this->db->sql("SELECT * FROM $recordSourceTable WHERE id=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]); $rowSrc = $this->db->sql("SELECT * FROM `$recordSourceTable` WHERE `id`=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]);
$this->checkNCopyFiles($rowSrc, $newColumns); $this->checkNCopyFiles($rowSrc, $newColumns);
...@@ -603,11 +603,11 @@ class FormAction { ...@@ -603,11 +603,11 @@ class FormAction {
foreach ($translateMap as $oldId => $newId) { foreach ($translateMap as $oldId => $newId) {
$row = $this->db->sql("SELECT $translateIdColumn FROM $tableName WHERE id=$newId", ROW_EXPECT_1); $row = $this->db->sql("SELECT `$translateIdColumn` FROM `$tableName` WHERE `id`=$newId", ROW_EXPECT_1);
if (!empty($row[$translateIdColumn])) { if (!empty($row[$translateIdColumn])) {
$newNewId = $translateMap[$row[$translateIdColumn]]; $newNewId = $translateMap[$row[$translateIdColumn]];
$this->db->sql("UPDATE $tableName SET $translateIdColumn=$newNewId WHERE id=$newId LIMIT 1"); $this->db->sql("UPDATE `$tableName` SET `$translateIdColumn`=$newNewId WHERE `id`=$newId LIMIT 1");
} }
} }
...@@ -691,10 +691,10 @@ class FormAction { ...@@ -691,10 +691,10 @@ class FormAction {
return (0); return (0);
} }
$keyString = implode(',', $keys); $keyString = '`' . implode('`,`', $keys) . '`';
$valueString = implode(',', $placeholder); $valueString = implode(',', $placeholder);
$sql = "INSERT INTO $destTable ($keyString) VALUES ($valueString)"; $sql = "INSERT INTO `$destTable` ($keyString) VALUES ($valueString)";
return $this->db->sql($sql, ROW_REGULAR, $values); return $this->db->sql($sql, ROW_REGULAR, $values);
......
...@@ -766,7 +766,7 @@ class QuickFormQuery { ...@@ -766,7 +766,7 @@ class QuickFormQuery {
$pageId = $this->store->getVar(TYPO3_PAGE_ID, STORE_TYPO3, SANITIZE_ALLOW_ALNUMX); $pageId = $this->store->getVar(TYPO3_PAGE_ID, STORE_TYPO3, SANITIZE_ALLOW_ALNUMX);
$sessionId = session_id(); $sessionId = session_id();
$sql = "INSERT INTO FormSubmitLog (formData, sipData, clientIp, feUser, userAgent, formId, recordId, pageId, sessionId, created)" . $sql = "INSERT INTO `FormSubmitLog` (`formData`, `sipData`, `clientIp`, `feUser`, `userAgent`, `formId`, `recordId`, `pageId`, `sessionId`, `created`)" .
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())"; "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())";
$params = [$formData, $sipData, $clientIp, $feUser, $userAgent, $formId, $recordId, $pageId, $sessionId]; $params = [$formData, $sipData, $clientIp, $feUser, $userAgent, $formId, $recordId, $pageId, $sessionId];
$this->dbArray[$this->dbIndexQfq]->sql($sql, ROW_REGULAR, $params); $this->dbArray[$this->dbIndexQfq]->sql($sql, ROW_REGULAR, $params);
...@@ -866,7 +866,7 @@ class QuickFormQuery { ...@@ -866,7 +866,7 @@ class QuickFormQuery {
} }
# select clipboard records # select clipboard records
$sql = "SELECT c.idSrc as id, c.xId FROM Clipboard AS c WHERE c.cookie='$cookieQfq' AND c.formIdPaste=$formId ORDER BY c.id"; $sql = "SELECT c.idSrc as id, c.xId FROM `Clipboard` AS c WHERE `c`.`cookie`='$cookieQfq' AND `c`.`formIdPaste`=$formId ORDER BY `c`.`id`";
$arrClipboard = $this->dbArray[$this->dbIndexQfq]->sql($sql); $arrClipboard = $this->dbArray[$this->dbIndexQfq]->sql($sql);
// Process clipboard records. // Process clipboard records.
...@@ -1006,7 +1006,7 @@ class QuickFormQuery { ...@@ -1006,7 +1006,7 @@ class QuickFormQuery {
// Load form // Load form
$constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below $constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1, $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`$constant` LIKE ? AND `f`.`deleted`='no'", ROW_EXPECT_1,
[$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.'); [$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.');
$form = $this->checkFormLogMode($form); $form = $this->checkFormLogMode($form);
...@@ -1727,12 +1727,12 @@ class QuickFormQuery { ...@@ -1727,12 +1727,12 @@ class QuickFormQuery {
$dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM); $dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM);
// Update bodytext // Update bodytext
$sql = "UPDATE $dbT3.tt_content SET bodytext = ?, tstamp = UNIX_TIMESTAMP(NOW()) WHERE uid = ?"; $sql = "UPDATE `$dbT3`.`tt_content` SET `bodytext` = ?, `tstamp` = UNIX_TIMESTAMP(NOW()) WHERE `uid` = ?";
$this->dbArray[$this->dbIndexData]->sql($sql, ROW_REGULAR, [$bodytext, $uid]); $this->dbArray[$this->dbIndexData]->sql($sql, ROW_REGULAR, [$bodytext, $uid]);
// Clear cache // Clear cache
// Need to truncate cf_cache_pages because it is used to restore page-specific cache // Need to truncate cf_cache_pages because it is used to restore page-specific cache
$sql = "DELETE FROM $dbT3.cf_cache_pages WHERE 1"; $sql = "DELETE FROM `$dbT3`.`cf_cache_pages`";
$this->dbArray[$this->dbIndexData]->sql($sql); $this->dbArray[$this->dbIndexData]->sql($sql);
$this->formSpec[F_FORWARD_MODE] = 'auto'; $this->formSpec[F_FORWARD_MODE] = 'auto';
...@@ -1902,7 +1902,7 @@ class QuickFormQuery { ...@@ -1902,7 +1902,7 @@ class QuickFormQuery {
$view = Store::getVar(SETTING_TABLESORTER_VIEW, STORE_CLIENT, SANITIZE_ALLOW_ALLBUT); $view = Store::getVar(SETTING_TABLESORTER_VIEW, STORE_CLIENT, SANITIZE_ALLOW_ALLBUT);
$rows = $this->dbArray[$this->dbIndexQfq]->sql( $rows = $this->dbArray[$this->dbIndexQfq]->sql(
'SELECT sett.id, sett.readonly FROM ' . SETTING_TABLE_NAME . ' AS sett WHERE tableId=? AND name=? AND IF(?, public, feUser=? AND !public)', 'SELECT `sett`.`id`, `sett`.`readonly` FROM `' . SETTING_TABLE_NAME . '` AS sett WHERE `tableId`=? AND `name`=? AND IF(?, public, feUser=? AND !public)',
ROW_REGULAR, [$tableId, $name, $public, $feUser]); ROW_REGULAR, [$tableId, $name, $public, $feUser]);
// Protect Setting 'Clear' // Protect Setting 'Clear'
...@@ -1916,7 +1916,7 @@ class QuickFormQuery { ...@@ -1916,7 +1916,7 @@ class QuickFormQuery {
if ($mode != SETTING_TABLESORTER_MODE_DELETE) { if ($mode != SETTING_TABLESORTER_MODE_DELETE) {
// Insert // Insert
$this->dbArray[$this->dbIndexQfq]->sql( $this->dbArray[$this->dbIndexQfq]->sql(
'INSERT INTO ' . SETTING_TABLE_NAME . ' (type, name, public, feUser, tableId, view) VALUES (?,?,?,?,?,?)', 'INSERT INTO `' . SETTING_TABLE_NAME . '` (`type`, `name`, `public`, `feUser`, `tableId`, `view`) VALUES (?,?,?,?,?,?)',
ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $name, $public, $feUser, $tableId, $view]); ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $name, $public, $feUser, $tableId, $view]);
} }
break; break;
...@@ -1930,13 +1930,13 @@ class QuickFormQuery { ...@@ -1930,13 +1930,13 @@ class QuickFormQuery {
if ($mode == SETTING_TABLESORTER_MODE_DELETE) { if ($mode == SETTING_TABLESORTER_MODE_DELETE) {
// Delete 'view'