Skip to content

Commit

Permalink
[fix] Fix columnQuote for �security issue reported by Snyk
Browse files Browse the repository at this point in the history
  • Loading branch information
@catfan
catfan committed Oct 11, 2019
1 parent b3f05ed commit 659864b
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/Medoo.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,11 @@ protected function typeMap($value, $type)

protected function columnQuote($string)
{
if (!preg_match('/^[a-zA-Z0-9]+(\.?[a-zA-Z0-9]+)?$/i', $string))

This comment has been minimized.

Sign in to view

Copy link
@jfcherng

jfcherng Oct 12, 2019
edited
Loading

Contributor

It's perfect valid to use _ in a column name and I believe it's used quite often. This change would make v1.7.4 literally unusable for most of people.

Not sure about other SQL standard. For MySQL, it's valid to use some of UTF-8 chars as the column name.
https://dev.mysql.com/doc/refman/8.0/en/identifiers.html

This comment has been minimized.

Sign in to view

Copy link
@catfan

catfan Oct 12, 2019

Author Owner

Thanks for this great spot. The _ should be added. Although it's possible to use UTF-8 chars for column name, it may have some problem for some databases. Using a-zA-Z0-9_ is enough for most case.
{
throw new InvalidArgumentException("Incorrect column name \"$string\"");
}

if (strpos($string, '.') !== false)
{
return '"' . $this->prefix . str_replace('.', '"."', $string) . '"';
Expand Down

0 comments on commit 659864b

Please sign in to comment.