columnList() properly escapes table names

2014-06-16 22:40:22 +00:00
parent 1d797b306e
commit eb36858f1a
3 changed files with 12 additions and 8 deletions
--- a/db.class.php
+++ b/db.class.php
@@ -385,7 +385,7 @@ class MeekroDB {
  }
  public function columnList($table) {
-    return $this->queryOneColumn('Field', "SHOW COLUMNS FROM $table");
+    return $this->queryOneColumn('Field', "SHOW COLUMNS FROM %b", $table);
  }
  public function tableList($db = null) {
--- a/simpletest/BasicTest.php
+++ b/simpletest/BasicTest.php
@@ -2,7 +2,7 @@
 class BasicTest extends SimpleTest {
  function __construct() {
    foreach (DB::tableList() as $table) {
-      DB::query("DROP TABLE $table");
+      DB::query("DROP TABLE %b", $table);
    }
  }
@@ -266,20 +266,24 @@ class BasicTest extends SimpleTest {
  function test_5_insert_blobs() {
-    DB::query("CREATE TABLE `storedata` (
+    DB::query("CREATE TABLE `store data` (
      `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
      `picture` BLOB
    ) ENGINE = InnoDB");
    $columns = DB::columnList('store data');
    $this->assert(count($columns) === 2);
    $this->assert($columns[1] === 'picture');
    $smile = file_get_contents('smile1.jpg');
-    DB::insert('storedata', array(
+    DB::insert('store data', array(
      'picture' => $smile,
    ));
-    DB::queryOneRow("INSERT INTO storedata (picture) VALUES (%s)", $smile);
+    DB::queryOneRow("INSERT INTO %b (picture) VALUES (%s)", 'store data', $smile);
-    $getsmile = DB::queryFirstField("SELECT picture FROM storedata WHERE id=1");
+    $getsmile = DB::queryFirstField("SELECT picture FROM %b WHERE id=1", 'store data');
-    $getsmile2 = DB::queryFirstField("SELECT picture FROM storedata WHERE id=2");
+    $getsmile2 = DB::queryFirstField("SELECT picture FROM %b WHERE id=2", 'store data');
    $this->assert($smile === $getsmile);
    $this->assert($smile === $getsmile2);
  }
--- a/simpletest/ObjectTest.php
+++ b/simpletest/ObjectTest.php
@@ -6,7 +6,7 @@ class ObjectTest extends SimpleTest {
    $this->mdb = new MeekroDB();
    foreach ($this->mdb->tableList() as $table) {
-      $this->mdb->query("DROP TABLE $table");
+      $this->mdb->query("DROP TABLE %b", $table);
    }
  }