X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fdb%2FDatabase.php;h=92e89b0de1d6b35f21b0e65044ca7e15be4de1fd;hb=f8d50756562b5758499bc0005c0f514e41684df1;hp=02a6ec870b97b4190f8cab34c35ae05bbc42759c;hpb=663d41c91c7ad8b559fa6eddab7a3202c029e010;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/db/Database.php b/includes/db/Database.php index 02a6ec870b..92e89b0de1 100644 --- a/includes/db/Database.php +++ b/includes/db/Database.php @@ -1226,6 +1226,7 @@ abstract class DatabaseBase implements IDatabase { return ''; } + // See IDatabase::select for the docs for this function public function select( $table, $vars, $conds = '', $fname = __METHOD__, $options = [], $join_conds = [] ) { $sql = $this->selectSQLText( $table, $vars, $conds, $fname, $options, $join_conds ); @@ -1558,8 +1559,8 @@ abstract class DatabaseBase implements IDatabase { // Special-case single values, as IN isn't terribly efficient // Don't necessarily assume the single key is 0; we don't // enforce linear numeric ordering on other arrays here. - $value = array_values( $value ); - $list .= $field . " = " . $this->addQuotes( $value[0] ); + $value = array_values( $value )[0]; + $list .= $field . " = " . $this->addQuotes( $value ); } else { $list .= $field . " IN (" . $this->makeList( $value ) . ") "; } @@ -1668,6 +1669,8 @@ abstract class DatabaseBase implements IDatabase { * themselves. Pass the canonical name to such functions. This is only needed * when calling query() directly. * + * @note This function does not sanitize user input. It is not safe to use + * this function to escape user input. * @param string $name Database table name * @param string $format One of: * quoted - Automatically pass the table name through addIdentifierQuotes() @@ -1844,7 +1847,7 @@ abstract class DatabaseBase implements IDatabase { if ( !$alias || (string)$alias === (string)$name ) { return $name; } else { - return $name . ' AS ' . $alias; // PostgreSQL needs AS + return $name . ' AS ' . $this->addIdentifierQuotes( $alias ); // PostgreSQL needs AS } } @@ -1981,6 +1984,8 @@ abstract class DatabaseBase implements IDatabase { * Returns if the given identifier looks quoted or not according to * the database convention for quoting identifiers . * + * @note Do not use this to determine if untrusted input is safe. + * A malicious user can trick this function. * @param string $name * @return bool */ @@ -2584,17 +2589,13 @@ abstract class DatabaseBase implements IDatabase { } elseif ( !$this->mTrxAutomatic ) { // We want to warn about inadvertently nested begin/commit pairs, but not about // auto-committing implicit transactions that were started by query() via DBO_TRX - $msg = "$fname: Transaction already in progress (from {$this->mTrxFname}), " . - " performing implicit commit!"; - wfWarn( $msg ); - wfLogDBError( $msg, - $this->getLogContext( [ - 'method' => __METHOD__, - 'fname' => $fname, - ] ) + throw new DBUnexpectedError( + $this, + "$fname: Transaction already in progress (from {$this->mTrxFname}), " . + " performing implicit commit!" ); } else { - // if the transaction was automatic and has done write operations + // The transaction was automatic and has done write operations if ( $this->mTrxDoneWrites ) { wfDebug( "$fname: Automatic transaction with writes in progress" . " (from {$this->mTrxFname}), performing implicit commit!\n"