Commit e32d8e91 authored by Carsten  Rose's avatar Carsten Rose

Fixes #5869 Tablenames not properly escaped

parent 671269ad
Pipeline #3197 passed with stages
in 3 minutes and 38 seconds
......@@ -253,7 +253,7 @@ abstract class AbstractBuildForm {
$this->store->setStore($row, STORE_PARENT_RECORD, true);
$this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible.
$record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE id=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1);
$record = $this->dbArray[$this->dbIndexData]->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE `id`=' . $row[F_MULTI_COL_ID], ROW_EXPECT_1);
$this->store->setStore($record, STORE_RECORD, true);
$jsonTmp = array();
......@@ -555,7 +555,7 @@ abstract class AbstractBuildForm {
$record = array();
if ($recordId != 0) {
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to load not found.");
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to load not found.");
}
return OnArray::getMd5($record);
......@@ -742,7 +742,7 @@ abstract class AbstractBuildForm {
$primaryKey = $this->formSpec[F_PRIMARY_KEY];
if ($recordId > 0 && $this->store->getVar($primaryKey, STORE_RECORD) === false) {
$tableName = $this->formSpec[F_TABLE_NAME];
$row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey = ?", ROW_EXPECT_1,
$row = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey` = ?", ROW_EXPECT_1,
array($recordId), "Form '" . $this->formSpec[F_NAME] . "' failed to load record '$primaryKey'='$recordId' from table '" .
$this->formSpec[F_TABLE_NAME] . "'.");
$this->store->setStore($row, STORE_RECORD);
......@@ -2108,7 +2108,7 @@ abstract class AbstractBuildForm {
} elseif (!empty($formElement[SUBRECORD_PARAMETER_FORM])) {
// Read table from form specified in subrecord
$formName = $formElement[SUBRECORD_PARAMETER_FORM];
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f." . F_NAME . " LIKE ? AND f.deleted='no'",
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`" . F_NAME . "` LIKE ? AND `f`.`deleted`='no'",
ROW_REGULAR, [$formName]);
if (count($form) > 0) {
$dndTable = $form[0][F_TABLE_NAME];
......@@ -2371,7 +2371,7 @@ abstract class AbstractBuildForm {
* @throws \UserFormException
*/
private function getFormTable($formName) {
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT " . F_TABLE_NAME . " FROM Form AS f WHERE f.name = ?", ROW_EXPECT_0_1, [$formName]);
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `" . F_TABLE_NAME . "` FROM `Form` AS f WHERE `f`.`name` = ?", ROW_EXPECT_0_1, [$formName]);
if (isset($row[F_TABLE_NAME])) {
return $row[F_TABLE_NAME];
}
......
......@@ -252,7 +252,7 @@ class BuildFormBootstrap extends AbstractBuildForm {
break;
case 'formElement':
if (false !== ($formId = $this->store->getVar(FE_FORM_ID, STORE_SIP . STORE_RECORD))) {
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT f.name FROM Form AS f WHERE id=" . $formId, ROW_EXPECT_1);
$row = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `f`.`name` FROM `Form` AS f WHERE `id`=" . $formId, ROW_EXPECT_1);
$form = current($row);
}
break;
......
......@@ -63,15 +63,15 @@ const RETURN_URL = 'return_url';
const RETURN_SIP = 'return_sip';
const RETURN_ARRAY = 'return_array';
const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ?";
const SQL_FORM_ELEMENT_RAW = "SELECT * FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.enabled='yes' ORDER BY fe.ord, fe.id";
const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.feIdContainer = ? AND fe.enabled='yes' ORDER BY fe.ord, fe.id";
const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM FormElement AS fe WHERE fe.formId = ? AND fe.deleted = 'no' AND FIND_IN_SET(fe.class, ? ) AND fe.enabled='yes' ORDER BY fe.ord, fe.id";
const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT fe.id, fe.feIdContainer, fe.name, fe.value, fe.label, fe.type, fe.encode, fe.checkType, fe.checkPattern, fe.mode, fe.modeSql, fe.parameter, fe.dynamicUpdate FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes' ORDER BY fe.ord, fe.id";
const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT fe.id, fe.name, fe.label, fe.maxLength, fe.parameter FROM FormElement AS fe, Form AS f WHERE f.name = ? AND f.id = fe.formId AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' ORDER BY fe.ord, fe.id";
const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM FormElement AS fe WHERE fe.id = ? AND fe.deleted = 'no' AND fe.class = 'container' AND fe.type='templateGroup' AND fe.enabled='yes' ";
const SQL_FORM_ELEMENT_BY_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ?";
const SQL_FORM_ELEMENT_RAW = "SELECT * FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_SPECIFIC_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS fe WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`feIdContainer` = ? AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_ALL_CONTAINER = "SELECT *, ? AS 'nestedInFieldSet' FROM `FormElement` AS `fe` WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND FIND_IN_SET(`fe`.`class`, ? ) AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_SIMPLE_ALL_CONTAINER = "SELECT `fe`.`id`, `fe`.`feIdContainer`, `fe`.`name`, `fe`.`value`, `fe`.`label`, `fe`.`type`, `fe`.`encode`, `fe`.`checkType`, `fe`.`checkPattern`, `fe`.`mode`, `fe`.`modeSql`, `fe`.`parameter`, `fe`.`dynamicUpdate` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'native' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_CONTAINER_TEMPLATE_GROUP = "SELECT `fe`.`id`, `fe`.`name`, `fe`.`label`, `fe`.`maxLength`, `fe`.`parameter` FROM `FormElement` AS fe, `Form` AS f WHERE `f`.`name` = ? AND `f`.`id` = `fe`.`formId` AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' ORDER BY `fe`.`ord`, `fe`.`id`";
const SQL_FORM_ELEMENT_TEMPLATE_GROUP_FE_ID = "SELECT * FROM `FormElement` AS fe WHERE `fe`.`id` = ? AND `fe`.`deleted` = 'no' AND `fe`.`class` = 'container' AND `fe`.`type`='templateGroup' AND `fe`.`enabled`='yes' ";
//const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND fe.class = 'native' AND fe.enabled='yes'";
const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT fe.*, IFNULL(feTg.maxLength,0) AS _tgCopies FROM FormElement AS fe LEFT JOIN FormElement AS feTg ON fe.feIdContainer=feTg.id AND feTg.deleted = 'no' AND feTg.class = 'container' AND feTg.type='templateGroup' AND feTg.enabled='yes' WHERE fe.formId = ? AND fe.deleted = 'no' AND (fe.class = 'native' OR (fe.class = 'container' AND fe.type='pill')) AND fe.enabled='yes'";
const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT `fe`.*, IFNULL(`feTg`.`maxLength`,0) AS _tgCopies FROM `FormElement` AS fe LEFT JOIN `FormElement` AS feTg ON `fe`.`feIdContainer`=`feTg`.`id` AND `feTg`.`deleted` = 'no' AND `feTg`.`class` = 'container' AND `feTg`.`type`='templateGroup' AND `feTg`.`enabled`='yes' WHERE `fe`.`formId` = ? AND `fe`.`deleted` = 'no' AND (`fe`.`class` = 'native' OR (`fe`.`class` = 'container' AND `fe`.`type`='pill')) AND `fe`.`enabled`='yes'";
const NAME_TG_COPIES = '_tgCopies'; // Number of templatesGroup copies to create on the fly. Also used in SQL_FORM_ELEMENT_NATIVE_TG_COUNT.
const FE_TG_INDEX = '_tgIndex'; // Index of the current copy of a templateGroup FE.
......
......@@ -1055,7 +1055,7 @@ class Database {
*/
public function deleteSplitFileAndRecord($xId, $tableName) {
$sql = 'SELECT pathFileName FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?';
$sql = 'SELECT `pathFileName` FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?';
$data = $this->sql($sql, ROW_REGULAR, [$tableName, $xId]);
foreach ($data AS $row) {
......@@ -1064,7 +1064,7 @@ class Database {
}
}
$this->sql('DELETE FROM ' . TABLE_NAME_SPLIT . ' WHERE tableName=? AND xId=?', ROW_REGULAR, [$tableName, $xId]);
$this->sql('DELETE FROM `' . TABLE_NAME_SPLIT . '` WHERE `tableName`=? AND `xId`=?', ROW_REGULAR, [$tableName, $xId]);
}
}
\ No newline at end of file
......@@ -201,14 +201,14 @@ class DatabaseUpdate {
if (defined('PHPUNIT_QFQ')) {
$res = array();
} else {
$res = $this->db->sql("SELECT uid, header, bodytext FROM " . $dbT3 . ".tt_content WHERE CType='qfq_qfq' AND deleted=0;");
$res = $this->db->sql("SELECT `uid`, `header`, `bodytext` FROM `" . $dbT3 . "`.`tt_content` WHERE `CType`='qfq_qfq' AND `deleted`=0;");
}
foreach ($res as $i => $tt_content) {
$replaced_placeholder = preg_replace($patterns, '${1}' . $placeholder . '${2}', $tt_content['bodytext']);
if (strpos($replaced_placeholder, $placeholder) !== false) {
if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) {
$replace = str_replace($placeholder, '_', $replaced_placeholder);
$query = "UPDATE " . $dbT3 . ".tt_content SET bodytext='" . addslashes($replace) . "' WHERE uid='" . $tt_content['uid'] . "'";
$query = "UPDATE `" . $dbT3 . "`.`tt_content` SET `bodytext`='" . addslashes($replace) . "' WHERE `uid`='" . $tt_content['uid'] . "'";
$this->db->sql($query);
}
$message_fe .= '<hr><b>' . $tt_content['header'] . ' [uid:' . $tt_content['uid'] . ']</b><br><br>';
......@@ -226,7 +226,7 @@ class DatabaseUpdate {
if (defined('PHPUNIT_QFQ')) {
$res = array();
} else {
$res = $this->db->sql("SELECT fe.id, fe.name, fe.value, fe.note FROM FormElement as fe WHERE fe.type='note' AND fe.value LIKE '#!report%' OR fe.note LIKE '%#!report%';");
$res = $this->db->sql("SELECT `fe`.`id`, `fe`.`name`, `fe`.`value`, `fe`.`note` FROM `FormElement` AS fe WHERE `fe`.`type`='note' AND `fe`.`value` LIKE '#!report%' OR `fe`.`note` LIKE '%#!report%';");
}
foreach ($res as $i => $tt_content) {
......@@ -235,7 +235,7 @@ class DatabaseUpdate {
if (strpos($replaced_placeholder, $placeholder) !== false) {
if ($actionSpecialColumn === ACTION_SPECIAL_COLUMN_DO_REPLACE) {
$replace = str_replace($placeholder, '_', $replaced_placeholder);
$query = "UPDATE FormElement SET " . $columnName . "='" . addslashes($replace) . "' WHERE id='" . $tt_content['id'] . "'";
$query = "UPDATE `FormElement` SET `" . $columnName . "`='" . addslashes($replace) . "' WHERE `id`='" . $tt_content['id'] . "'";
$this->db->sql($query);
}
$message_ttc .= '<hr><b>' . $tt_content['name'] . ' [id:' . $tt_content['id'] . '] (FormElement.' . $columnName . ')</b><br><br>';
......
......@@ -23,7 +23,7 @@ $UPDATE_ARRAY = array(
],
'0.15.0' => [
"UPDATE FormElement SET parameter = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')",
"UPDATE `FormElement` SET `parameter` = REPLACE(parameter, 'typeAheadLdapKeyPrintf', 'typeAheadLdapIdPrintf')",
"ALTER TABLE `FormElement` CHANGE `placeholder` `placeholder` VARCHAR( 2048 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '' ",
],
......@@ -44,7 +44,7 @@ $UPDATE_ARRAY = array(
'0.18.0' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'page', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
"UPDATE Form SET forwardMode='url' WHERE forwardMode='page'",
"UPDATE `Form` SET `forwardMode`='url' WHERE `forwardMode`='page'",
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM( 'client', 'no', 'url', 'url-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
],
......@@ -57,7 +57,7 @@ $UPDATE_ARRAY = array(
"ALTER TABLE `Form` ADD `dirtyMode` ENUM( 'exclusive', 'advisory', 'none' ) NOT NULL DEFAULT 'exclusive' AFTER `requiredParameter`",
"ALTER TABLE `Form` ADD `recordLockTimeoutSeconds` INT NOT NULL DEFAULT '900' AFTER `parameter`",
"CREATE TABLE IF NOT EXISTS `Period` (`id` INT(11) NOT NULL AUTO_INCREMENT, `start` DATETIME NOT NULL, `name` VARCHAR(255) NOT NULL, `modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `created` DATETIME NOT NULL, PRIMARY KEY (`id`), KEY `start` (`start`)) ENGINE = InnoDB DEFAULT CHARSET = utf8 AUTO_INCREMENT = 0;",
"INSERT INTO Period (start, name, created) VALUES (NOW(), 'dummy', NOW());"
"INSERT INTO `Period` (`start`, `name`, `created`) VALUES (NOW(), 'dummy', NOW());"
],
'0.19.2' => [
......@@ -79,7 +79,7 @@ $UPDATE_ARRAY = array(
'0.21.0' => [
"ALTER TABLE `Form` CHANGE `requiredParameter` `requiredParameterNew` VARCHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT ''",
"ALTER TABLE `Form` ADD `requiredParameterEdit` VARCHAR( 255 ) NOT NULL AFTER `requiredParameterNew`",
"UPDATE Form SET requiredParameterEdit=requiredParameterNew",
"UPDATE `Form` SET `requiredParameterEdit`=requiredParameterNew",
],
'0.24.0' => [
......@@ -103,7 +103,7 @@ $UPDATE_ARRAY = array(
],
'0.25.11' => [
"UPDATE FormElement SET checkType = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''",
"UPDATE `FormElement` SET `checkType` = 'alnumx', checkPattern = '', parameter = CONCAT(parameter, '\nmin = ', SUBSTRING_INDEX(checkPattern, '|', 1), '\nmax = ', SUBSTRING_INDEX(checkPattern, '|', -1)) WHERE checkType LIKE 'min|max%' AND checkPattern <> ''",
"ALTER TABLE `FormElement` CHANGE `checkType` `checkType` ENUM('alnumx','digit','numerical','email','pattern','allbut','all') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'alnumx';",
],
......@@ -120,7 +120,7 @@ $UPDATE_ARRAY = array(
'18.6.0' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'client','no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'client'",
"UPDATE `Form` SET forwardMode='auto' WHERE forwardMode='client'",
"UPDATE `Form` SET `forwardMode`='auto' WHERE `forwardMode`='client'",
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto', 'close', 'no','url','url-skip-history','url-sip') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';",
],
......@@ -147,7 +147,7 @@ $UPDATE_ARRAY = array(
'19.3.2' => [
"ALTER TABLE `Form` CHANGE `forwardMode` `forwardMode` ENUM('auto','close','no','url','url-skip-history','url-sip','url-sip-skip-history' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'auto';",
"UPDATE `Form` SET forwardMode='url-sip-skip-history' WHERE forwardMode='url-sip'",
"UPDATE `Form` SET `forwardMode`='url-sip-skip-history' WHERE `forwardMode`='url-sip'",
],
'19.7.2' => [
......
......@@ -79,12 +79,12 @@ class Delete {
}
// Read record first.
$row = $this->db->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_0_1, [$recordId]);
$row = $this->db->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_0_1, [$recordId]);
if (count($row) > 0) {
$this->deleteReferencedFiles($row, $tableName, $primaryKey);
$this->db->sql("DELETE FROM $tableName WHERE $primaryKey =? LIMIT 1", ROW_REGULAR, [$recordId]);
$this->db->sql("DELETE FROM `$tableName` WHERE `$primaryKey` =? LIMIT 1", ROW_REGULAR, [$recordId]);
} else {
throw new \UserFormException(
json_encode([ERROR_MESSAGE_TO_USER => 'Record not found in table', ERROR_MESSAGE_TO_DEVELOPER => "Record $recordId not found in table '$tableName'."]),
......@@ -124,7 +124,7 @@ class Delete {
// check if there are other records referencing the same file: do not delete the file now.
// This check won't find duplicates, if they are spread over different columns or tables.
$samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM $tableName WHERE $key LIKE ?", ROW_EXPECT_1, [$file]);
$samePathFileName = $this->db->sql("SELECT COUNT($primaryKey) AS cnt FROM `$tableName` WHERE `$key` LIKE ?", ROW_EXPECT_1, [$file]);
if ($samePathFileName['cnt'] === 1) {
HelperFile::unlink($file);
$this->db->deleteSplitFileAndRecord($row[$primaryKey], $tableName);
......
......@@ -279,7 +279,7 @@ class AbstractException extends \Exception {
$linkFormElement = '';
try {
$db = new Database();
$sql = "SELECT id FROM Form WHERE name='" . $storeSystem[SYSTEM_FORM] . "'";
$sql = "SELECT `id` FROM `Form` WHERE `name`='" . $storeSystem[SYSTEM_FORM] . "'";
$r = $db->sql($sql, ROW_EXPECT_0_1);
if (!is_numeric($r[F_ID])) {
......
......@@ -125,7 +125,7 @@ class Dirty {
$this->dbIndexData = empty($sipVars[PARAM_DB_INDEX_DATA]) ? $this->store->getVar(SYSTEM_DB_INDEX_DATA, STORE_SYSTEM) : $sipVars[PARAM_DB_INDEX_DATA];
$this->doDbArray($this->dbIndexData, $this->dbIndexQfq);
$tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT tableName, primaryKey, dirtyMode, recordLockTimeoutSeconds FROM Form WHERE name=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'");
$tableVars = $this->dbArray[$this->dbIndexQfq]->sql("SELECT `tableName`, `primaryKey`, `dirtyMode`, `recordLockTimeoutSeconds` FROM `Form` WHERE `name`=?", ROW_EXPECT_1, [$sipVars[SIP_FORM]], "Form not found: '" . $sipVars[SIP_FORM] . "'");
if (empty($tableVars[F_PRIMARY_KEY])) {
$tableVars[F_PRIMARY_KEY] = F_PRIMARY_KEY_DEFAULT;
}
......@@ -208,7 +208,7 @@ class Dirty {
*/
private function getRecordDirty($tableName, $recordId) {
$recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Dirty AS d WHERE d.tableName LIKE ? AND recordId=? ",
$recordDirty = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Dirty` AS d WHERE `d`.`tableName` LIKE ? AND `recordId`=? ",
ROW_EXPECT_0_1, [$tableName, $recordId]);
// Check if the record is timed out - owner doesn't matter.
......@@ -286,12 +286,12 @@ class Dirty {
$primaryKey = $tableVars[F_PRIMARY_KEY];
$formDirtyMode = $tableVars[F_DIRTY_MODE];
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
# Dirty workaround: setting the 'expired timestamp' minus 1 second guarantees that the client ask for relock always if the timeout is expired.
$expire = date('Y-m-d H:i:s', strtotime("+" . $tableVars[F_RECORD_LOCK_TIMEOUT_SECONDS] - 1 . " seconds"));
// Write 'dirty' record
$this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO Dirty (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " .
$this->dbArray[$this->dbIndexQfq]->sql("INSERT INTO `Dirty` (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) " .
"VALUES ( ?,?,?,?,?,?,?,?,?,?,? )", ROW_REGULAR,
[$s, $tableName, $recordId, $expire, $recordHashMd5, $tabUniqId, $feUser, $this->client[CLIENT_COOKIE_QFQ], $formDirtyMode,
$this->client[CLIENT_REMOTE_ADDRESS], date('YmdHis')]);
......@@ -320,7 +320,7 @@ class Dirty {
return false; // If there is no recordHashMd5, the check is not possible. Always return 'not modified' (=ok)
}
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM $tableName WHERE $primaryKey=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
$record = $this->dbArray[$this->dbIndexData]->sql("SELECT * FROM `$tableName` WHERE `$primaryKey`=?", ROW_EXPECT_1, [$recordId], "Record to lock not found.");
$rcMd5 = OnArray::getMd5($record);
......@@ -477,7 +477,7 @@ class Dirty {
*/
private function deleteDirtyRecord($recordDirtyId) {
$cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM Dirty WHERE id=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]);
$cnt = $this->dbArray[$this->dbIndexQfq]->sql('DELETE FROM `Dirty` WHERE `id`=? LIMIT 1', ROW_REGULAR, [$recordDirtyId]);
if ($cnt != 1) {
throw new \CodeException("Failed to delete dirty record id=" . $recordDirtyId, ERROR_DIRTY_DELETE_RECORD);
}
......
......@@ -204,7 +204,7 @@ class DragAndDrop {
return $data;
}
$this->db->sql("UPDATE $tableName SET $orderColumn=? WHERE id=?", ROW_REGULAR, [$ordNew, $id]);
$this->db->sql("UPDATE `$tableName` SET `$orderColumn`=? WHERE `id`=?", ROW_REGULAR, [$ordNew, $id]);
// Converting to string is necessary: JSON detects int else.
$data[API_ELEMENT_UPDATE][DND_ORD_HTML_ID_PREFIX . $id][API_ELEMENT_CONTENT] = (string)$ordNew;
......
......@@ -430,7 +430,7 @@ class FormAction {
// Check if there is a column with the same name as the 'action'-FormElement.
if ($flagFeAction && false !== $this->store->getVar($fe[FE_NAME], STORE_RECORD)) {
// After an insert or update, propagate the (new) slave id to the master record.
$this->db->sql("UPDATE " . $this->primaryTableName . " SET " . $fe[FE_NAME] . " = $slaveId WHERE id = ? LIMIT 1", ROW_REGULAR, [$recordId]);
$this->db->sql("UPDATE `" . $this->primaryTableName . "` SET `" . $fe[FE_NAME] . "` = $slaveId WHERE `id` = ? LIMIT 1", ROW_REGULAR, [$recordId]);
}
}
......@@ -552,7 +552,7 @@ class FormAction {
// will be used in sub paste's
// $clipboard["_src_id"] = $newColumns[COLUMN_ID];
$rowSrc = $this->db->sql("SELECT * FROM $recordSourceTable WHERE id=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]);
$rowSrc = $this->db->sql("SELECT * FROM `$recordSourceTable` WHERE `id`=?", ROW_EXPECT_1, [$newColumns[COLUMN_ID]]);
$this->checkNCopyFiles($rowSrc, $newColumns);
......@@ -603,11 +603,11 @@ class FormAction {
foreach ($translateMap as $oldId => $newId) {
$row = $this->db->sql("SELECT $translateIdColumn FROM $tableName WHERE id=$newId", ROW_EXPECT_1);
$row = $this->db->sql("SELECT `$translateIdColumn` FROM `$tableName` WHERE `id`=$newId", ROW_EXPECT_1);
if (!empty($row[$translateIdColumn])) {
$newNewId = $translateMap[$row[$translateIdColumn]];
$this->db->sql("UPDATE $tableName SET $translateIdColumn=$newNewId WHERE id=$newId LIMIT 1");
$this->db->sql("UPDATE `$tableName` SET `$translateIdColumn`=$newNewId WHERE `id`=$newId LIMIT 1");
}
}
......@@ -691,10 +691,10 @@ class FormAction {
return (0);
}
$keyString = implode(',', $keys);
$keyString = '`' . implode('`,`', $keys) . '`';
$valueString = implode(',', $placeholder);
$sql = "INSERT INTO $destTable ($keyString) VALUES ($valueString)";
$sql = "INSERT INTO `$destTable` ($keyString) VALUES ($valueString)";
return $this->db->sql($sql, ROW_REGULAR, $values);
......
......@@ -766,7 +766,7 @@ class QuickFormQuery {
$pageId = $this->store->getVar(TYPO3_PAGE_ID, STORE_TYPO3, SANITIZE_ALLOW_ALNUMX);
$sessionId = session_id();
$sql = "INSERT INTO FormSubmitLog (formData, sipData, clientIp, feUser, userAgent, formId, recordId, pageId, sessionId, created)" .
$sql = "INSERT INTO `FormSubmitLog` (`formData`, `sipData`, `clientIp`, `feUser`, `userAgent`, `formId`, `recordId`, `pageId`, `sessionId`, `created`)" .
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())";
$params = [$formData, $sipData, $clientIp, $feUser, $userAgent, $formId, $recordId, $pageId, $sessionId];
$this->dbArray[$this->dbIndexQfq]->sql($sql, ROW_REGULAR, $params);
......@@ -866,7 +866,7 @@ class QuickFormQuery {
}
# select clipboard records
$sql = "SELECT c.idSrc as id, c.xId FROM Clipboard AS c WHERE c.cookie='$cookieQfq' AND c.formIdPaste=$formId ORDER BY c.id";
$sql = "SELECT c.idSrc as id, c.xId FROM `Clipboard` AS c WHERE `c`.`cookie`='$cookieQfq' AND `c`.`formIdPaste`=$formId ORDER BY `c`.`id`";
$arrClipboard = $this->dbArray[$this->dbIndexQfq]->sql($sql);
// Process clipboard records.
......@@ -1006,7 +1006,7 @@ class QuickFormQuery {
// Load form
$constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1,
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM `Form` AS f WHERE `f`.`$constant` LIKE ? AND `f`.`deleted`='no'", ROW_EXPECT_1,
[$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.');
$form = $this->checkFormLogMode($form);
......@@ -1727,12 +1727,12 @@ class QuickFormQuery {
$dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM);
// Update bodytext
$sql = "UPDATE $dbT3.tt_content SET bodytext = ?, tstamp = UNIX_TIMESTAMP(NOW()) WHERE uid = ?";
$sql = "UPDATE `$dbT3`.`tt_content` SET `bodytext` = ?, `tstamp` = UNIX_TIMESTAMP(NOW()) WHERE `uid` = ?";
$this->dbArray[$this->dbIndexData]->sql($sql, ROW_REGULAR, [$bodytext, $uid]);
// Clear cache
// Need to truncate cf_cache_pages because it is used to restore page-specific cache
$sql = "DELETE FROM $dbT3.cf_cache_pages WHERE 1";
$sql = "DELETE FROM `$dbT3`.`cf_cache_pages`";
$this->dbArray[$this->dbIndexData]->sql($sql);
$this->formSpec[F_FORWARD_MODE] = 'auto';
......@@ -1902,7 +1902,7 @@ class QuickFormQuery {
$view = Store::getVar(SETTING_TABLESORTER_VIEW, STORE_CLIENT, SANITIZE_ALLOW_ALLBUT);
$rows = $this->dbArray[$this->dbIndexQfq]->sql(
'SELECT sett.id, sett.readonly FROM ' . SETTING_TABLE_NAME . ' AS sett WHERE tableId=? AND name=? AND IF(?, public, feUser=? AND !public)',
'SELECT `sett`.`id`, `sett`.`readonly` FROM `' . SETTING_TABLE_NAME . '` AS sett WHERE `tableId`=? AND `name`=? AND IF(?, public, feUser=? AND !public)',
ROW_REGULAR, [$tableId, $name, $public, $feUser]);
// Protect Setting 'Clear'
......@@ -1916,7 +1916,7 @@ class QuickFormQuery {
if ($mode != SETTING_TABLESORTER_MODE_DELETE) {
// Insert
$this->dbArray[$this->dbIndexQfq]->sql(
'INSERT INTO ' . SETTING_TABLE_NAME . ' (type, name, public, feUser, tableId, view) VALUES (?,?,?,?,?,?)',
'INSERT INTO `' . SETTING_TABLE_NAME . '` (`type`, `name`, `public`, `feUser`, `tableId`, `view`) VALUES (?,?,?,?,?,?)',
ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $name, $public, $feUser, $tableId, $view]);
}
break;
......@@ -1930,13 +1930,13 @@ class QuickFormQuery {
if ($mode == SETTING_TABLESORTER_MODE_DELETE) {
// Delete 'view'
$this->dbArray[$this->dbIndexQfq]->sql(
'DELETE FROM ' . SETTING_TABLE_NAME . ' WHERE id=?',
'DELETE FROM `' . SETTING_TABLE_NAME . '` WHERE `id`=?',
ROW_REGULAR, [$rows[0]['id']]);
} else {
// Update 'view'
$this->dbArray[$this->dbIndexQfq]->sql(
'UPDATE ' . SETTING_TABLE_NAME . ' SET view=? WHERE id=?',
'UPDATE `' . SETTING_TABLE_NAME . '` SET `view`=? WHERE `id`=?',
ROW_REGULAR, [$view, $rows[0]['id']]);
}
break;
......
......@@ -408,7 +408,7 @@ class Download {
}
$dbT3 = $this->store->getVar(SYSTEM_DB_NAME_T3, STORE_SYSTEM);
$sql = "SELECT bodytext FROM $dbT3.tt_content WHERE uid = ?";
$sql = "SELECT `bodytext` FROM `$dbT3`.`tt_content` WHERE `uid` = ?";
$tt_content = $this->db->sql($sql, ROW_EXPECT_1, [$uid]);
$qfq = new QuickFormQuery([T3DATA_BODYTEXT => $tt_content[T3DATA_BODYTEXT]], false, false);
......
......@@ -136,11 +136,14 @@ class SendMail {
* @throws \CodeException
* @throws \DbException
* @throws \DownloadException
* @throws \UserFormException
* @throws \UserReportException
* @throws \PhpOffice\PhpSpreadsheet\Exception
* @throws \PhpOffice\PhpSpreadsheet\Reader\Exception
* @throws \PhpOffice\PhpSpreadsheet\Writer\Exception
* @throws \Twig\Error\LoaderError
* @throws \Twig\Error\RuntimeError
* @throws \Twig\Error\SyntaxError
* @throws \UserFormException
* @throws \UserReportException
*/
private function sendEmail(array $mailConfig) {
$args = array();
......@@ -312,7 +315,7 @@ class SendMail {
$log[] = empty($mailConfig[SENDMAIL_TOKEN_SRC]) ? 0 : $mailConfig[SENDMAIL_TOKEN_SRC];
$db = new Database();
$db->sql('INSERT INTO MailLog (`receiver`, `cc`, `bcc`, `sender`, `subject`, `body`, `header`, `attach`, `grId`, `xId`, `xId2`, `xId3`, `src`, `modified`, `created`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW() )', ROW_REGULAR, $log);
$db->sql('INSERT INTO `MailLog` (`receiver`, `cc`, `bcc`, `sender`, `subject`, `body`, `header`, `attach`, `grId`, `xId`, `xId2`, `xId3`, `src`, `modified`, `created`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW() )', ROW_REGULAR, $log);
}
......@@ -327,11 +330,14 @@ class SendMail {
* @throws \CodeException
* @throws \DbException
* @throws \DownloadException
* @throws \UserFormException
* @throws \UserReportException
* @throws \PhpOffice\PhpSpreadsheet\Exception
* @throws \PhpOffice\PhpSpreadsheet\Reader\Exception
* @throws \PhpOffice\PhpSpreadsheet\Writer\Exception
* @throws \Twig\Error\LoaderError
* @throws \Twig\Error\RuntimeError
* @throws \Twig\Error\SyntaxError
* @throws \UserFormException
* @throws \UserReportException
*/
private function attachmentsBuild(array $attachments) {
$files = array();
......
......@@ -108,8 +108,8 @@ class Tablesorter {
private function getTableViewAsJson($tableId, $feUser) {
// Sort list by public, name
$tablesorterViews = $this->db->sql("SELECT sett.name, sett.public, sett.tableId, sett.view FROM " . SETTING_TABLE_NAME .
" AS sett WHERE type=? AND tableId=? AND ((!public AND feUser=?) OR public) ORDER BY sett.public DESC, sett.name, sett.id",
$tablesorterViews = $this->db->sql("SELECT `sett`.`name`, `sett`.`public`, `sett`.`tableId`, `sett`.`view` FROM `" . SETTING_TABLE_NAME .
"` AS sett WHERE `type`=? AND `tableId`=? AND ((!`public` AND `feUser`=?) OR `public`) ORDER BY `sett`.`public` DESC, `sett`.`name`, `sett`.`id`",
ROW_REGULAR, [SETTING_TYPE_TABLESORTER, $tableId, $feUser]);
foreach ($tablesorterViews AS $key => $row) {
......
......@@ -137,7 +137,7 @@ class Save {
$this->store->setStore($row, STORE_PARENT_RECORD, true);
$this->store->setVar(F_MULTI_COL_ID, $row[$idName], STORE_PARENT_RECORD); // In case '_id' is used, both '_id' and 'id' should be accessible.
$record = $this->db->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE id=' . $row[$idName], ROW_EXPECT_1);
$record = $this->db->sql('SELECT * FROM `' . $this->formSpec[F_TABLE_NAME] . '` WHERE `id`=' . $row[$idName], ROW_EXPECT_1);
$this->store->setStore($record, STORE_RECORD, true);
// Fake current recordId
......@@ -369,7 +369,7 @@ class Save {
$paramList = substr($paramList, 0, strlen($paramList) - 2);
$columnList = '`' . implode('`, `', array_keys($values)) . '`';
$sql = "INSERT INTO $tableName ( " . $columnList . " ) VALUES ( " . $paramList . ' )';
$sql = "INSERT INTO `$tableName` ( " . $columnList . " ) VALUES ( " . $paramList . ' )';
$rc = $this->db->sql($sql, ROW_REGULAR, array_values($values));
......@@ -911,7 +911,7 @@ class Save {
// Import the data
foreach ($worksheetData AS $rowIndex => $row) {
$columnList = implode(',', $columnListArr);
$columnList = '`' . implode('`,`', $columnListArr) . '`';
$paramPlaceholders = str_repeat('?,', count($worksheetData[0]) - 1) . '?';
$insertSql = "INSERT INTO `$tableName` ($columnList) VALUES ($paramPlaceholders)";
$this->db->sql($insertSql, ROW_REGULAR, $row);
......@@ -1121,7 +1121,7 @@ class Save {
// Create DB records according to the extracted filenames.
$tableName = TABLE_NAME_SPLIT;
$sql = "INSERT INTO $tableName (`tableName`, `xId`, `pathFilename`) VALUES (?,?,?)";
$sql = "INSERT INTO `$tableName` (`tableName`, `xId`, `pathFilename`) VALUES (?,?,?)";
// 1) Move split files to final location. 2) Created records to reference each split file.
foreach ($files as $file) {
......
......@@ -72,7 +72,7 @@ class FillStoreForm {
if (!empty($form) && !defined('PHPUNIT_QFQ')) {
// To make STORE_RECORD available at a very early stage.
$recordId = $this->store->getVar(SIP_RECORD_ID, STORE_SIP, SANITIZE_ALLOW_DIGIT);
$tableFromFormSql = "SELECT tableName, primaryKey FROM Form WHERE name=?";
$tableFromFormSql = "SELECT `tableName`, `primaryKey` FROM `Form` WHERE `name`=?";
$form = $this->dbArray[$this->dbIndexQfq]->sql($tableFromFormSql, ROW_EXPECT_1, [$form]);
if (empty($form[F_PRIMARY_KEY])) {
......
......@@ -918,7 +918,7 @@ class Store {
$primaryKey = F_PRIMARY_KEY_DEFAULT;
}
$record = $db->sql("SELECT * FROM $tableName WHERE $primaryKey = ?", ROW_EXPECT_1, [$recordId]);
$record = $db->sql("SELECT * FROM `$tableName` WHERE `$primaryKey` = ?", ROW_EXPECT_1, [$recordId]);
self::setStore($record, $store, true);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment