mirror of
https://github.com/Karaka-Management/phpOMS.git
synced 2026-02-12 06:48:41 +00:00
Fix value injection
This commit is contained in:
parent
e90ad9477a
commit
f7ebd61f40
|
|
@ -82,6 +82,20 @@ abstract class BuilderAbstract
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Escape string value
|
||||||
|
*
|
||||||
|
* @param string $value Value to escape
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*
|
||||||
|
* @since 1.0.0
|
||||||
|
*/
|
||||||
|
public function quote(string $value) : string
|
||||||
|
{
|
||||||
|
return $this->connection->con->quote($value);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get prefix.
|
* Get prefix.
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -256,7 +256,7 @@ class DataMapperAbstract implements DataMapperInterface
|
||||||
/**
|
/**
|
||||||
* Load.
|
* Load.
|
||||||
*
|
*
|
||||||
* @param array $objects Objects to load
|
* @param array ...$objects Objects to load
|
||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -325,7 +325,7 @@ class Builder extends BuilderAbstract
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Parsing to string.
|
* Parsing to sql string.
|
||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*
|
*
|
||||||
|
|
@ -336,6 +336,18 @@ class Builder extends BuilderAbstract
|
||||||
return $this->grammar->compileQuery($this);
|
return $this->grammar->compileQuery($this);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Parsing to prepared string.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*
|
||||||
|
* @since 1.0.0
|
||||||
|
*/
|
||||||
|
public function toPrepared() : string
|
||||||
|
{
|
||||||
|
return $this->grammar->compilePreparedQuery($this);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set raw query.
|
* Set raw query.
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -297,10 +297,10 @@ class Grammar extends GrammarAbstract
|
||||||
// todo: handle IN(...) as operator
|
// todo: handle IN(...) as operator
|
||||||
|
|
||||||
if (isset($element['value'])) {
|
if (isset($element['value'])) {
|
||||||
$expression .= ' ' . strtoupper($element['operator']) . ' ' . $this->compileValue($element['value'], $query->getPrefix());
|
$expression .= ' ' . strtoupper($element['operator']) . ' ' . $this->compileValue($query, $element['value'], $query->getPrefix());
|
||||||
} else {
|
} else {
|
||||||
$operator = strtoupper($element['operator']) === '=' ? 'IS' : 'IS NOT';
|
$operator = strtoupper($element['operator']) === '=' ? 'IS' : 'IS NOT';
|
||||||
$expression .= ' ' . $operator . ' ' . $this->compileValue($element['value'], $query->getPrefix());
|
$expression .= ' ' . $operator . ' ' . $this->compileValue($query, $element['value'], $query->getPrefix());
|
||||||
}
|
}
|
||||||
|
|
||||||
return $expression;
|
return $expression;
|
||||||
|
|
@ -315,6 +315,7 @@ class Grammar extends GrammarAbstract
|
||||||
/**
|
/**
|
||||||
* Compile value.
|
* Compile value.
|
||||||
*
|
*
|
||||||
|
* @param Builder $query Query builder
|
||||||
* @param array|string|\Closure $value Value
|
* @param array|string|\Closure $value Value
|
||||||
* @param string $prefix Prefix in case value is a table
|
* @param string $prefix Prefix in case value is a table
|
||||||
*
|
*
|
||||||
|
|
@ -324,26 +325,26 @@ class Grammar extends GrammarAbstract
|
||||||
*
|
*
|
||||||
* @since 1.0.0
|
* @since 1.0.0
|
||||||
*/
|
*/
|
||||||
protected function compileValue($value, $prefix = '') : string
|
protected function compileValue(Builder $query, $value, string $prefix = '') : string
|
||||||
{
|
{
|
||||||
if (is_string($value)) {
|
if (is_string($value)) {
|
||||||
if (strpos($value, ':') === 0) {
|
if (strpos($value, ':') === 0) {
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->valueQuotes . $value . $this->valueQuotes;
|
return $query->quote($value);
|
||||||
} elseif (is_int($value)) {
|
} elseif (is_int($value)) {
|
||||||
return (string) $value;
|
return (string) $value;
|
||||||
} elseif (is_array($value)) {
|
} elseif (is_array($value)) {
|
||||||
$values = '';
|
$values = '';
|
||||||
|
|
||||||
foreach ($value as $val) {
|
foreach ($value as $val) {
|
||||||
$values .= $this->compileValue($val) . ', ';
|
$values .= $this->compileValue($query, $val, $prefix) . ', ';
|
||||||
}
|
}
|
||||||
|
|
||||||
return '(' . rtrim($values, ', ') . ')';
|
return '(' . rtrim($values, ', ') . ')';
|
||||||
} elseif ($value instanceof \DateTime) {
|
} elseif ($value instanceof \DateTime) {
|
||||||
return $this->valueQuotes . $value->format('Y-m-d H:i:s') . $this->valueQuotes;
|
return $query->quote($value->format('Y-m-d H:i:s'));
|
||||||
} elseif (is_null($value)) {
|
} elseif (is_null($value)) {
|
||||||
return 'NULL';
|
return 'NULL';
|
||||||
} elseif (is_bool($value)) {
|
} elseif (is_bool($value)) {
|
||||||
|
|
@ -512,7 +513,7 @@ class Grammar extends GrammarAbstract
|
||||||
$vals = '';
|
$vals = '';
|
||||||
|
|
||||||
foreach ($values as $value) {
|
foreach ($values as $value) {
|
||||||
$vals .= $this->compileValue($value) . ', ';
|
$vals .= $this->compileValue($query, $value) . ', ';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($vals === '') {
|
if ($vals === '') {
|
||||||
|
|
@ -540,7 +541,7 @@ class Grammar extends GrammarAbstract
|
||||||
// todo change expressionizeTableColumn to accept single column and create additionl for Columns
|
// todo change expressionizeTableColumn to accept single column and create additionl for Columns
|
||||||
$expression = $this->expressionizeTableColumn([$column], $query->getPrefix());
|
$expression = $this->expressionizeTableColumn([$column], $query->getPrefix());
|
||||||
|
|
||||||
$vals .= $expression . ' = ' . $this->compileValue($value) . ', ';
|
$vals .= $expression . ' = ' . $this->compileValue($query, $value) . ', ';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($vals === '') {
|
if ($vals === '') {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user