Add backticks and use quote() where needed

quote() cannot be used to escape identifiers
aces · Jun 4, 2020 · 5e71c3c · 5e71c3c
1 parent c1d2fc9
commit 5e71c3c
Showing 1 changed file with 10 additions and 13 deletions.
diff --git a/modules/imaging_browser/php/imagingbrowserrowprovisioner.class.inc b/modules/imaging_browser/php/imagingbrowserrowprovisioner.class.inc
@@ -114,12 +114,9 @@ class ImagingBrowserRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisi
         $coalesce_desc = array();
 
         foreach ($scan_id_types as $id => $type) {
-            if (preg_match('\W+', $scan_id_types[$id])) {
-                $scan_id_types[$id] = $instance->quote($scan_id_types[$id]);
-            }
             $pass[$id]          = $type . 'pass';
             $qc[$id]            = $type . 'QC';
-            $coalesce_desc[$id] = $pass[$id] . '.' . $qc[$id];
+            $coalesce_desc[$id] = $instance->quote($pass[$id] . '.' . $qc[$id]);
             $case_desc[$id]     = "
                 CASE
                     COALESCE($coalesce_desc[$id], '')
@@ -154,14 +151,14 @@ class ImagingBrowserRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisi
         foreach ($case_desc as $key => $value) {
             $left_joins .= "
             LEFT JOIN (
-              SELECT files.SessionID, 
-                MIN(files_qcstatus.QCStatus+0) as $qc[$key] 
-              FROM files 
-              JOIN files_qcstatus USING (FileID) 
-              WHERE files.AcquisitionProtocolID= $key 
-                AND files_qcstatus.QCStatus IN (1, 2) 
-              GROUP BY files.SessionID) $pass[$key] 
-                ON ($pass[$key].SessionID=f.SessionID
+              SELECT files.SessionID,
+                MIN(files_qcstatus.QCStatus+0) as `$qc[$key]`
+              FROM files
+              JOIN files_qcstatus USING (FileID)
+              WHERE files.AcquisitionProtocolID= $key
+                AND files_qcstatus.QCStatus IN (1, 2)
+              GROUP BY files.SessionID) `$pass[$key]`
+                ON (`$pass[$key]`.SessionID=f.SessionID
             ) ";
         }
 
@@ -174,7 +171,7 @@ class ImagingBrowserRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisi
         // $scan_types are set in the configuration module
         $modalities_subquery = '';
         foreach ($case_desc as $key => $value) {
-            $modalities_subquery = "$value as $scan_id_types[$key]_QC_Status";
+            $modalities_subquery = "$value as `$scan_id_types[$key]_QC_Status`";
         }
 
         // =================================================