diff options
author | diosmosis <diosmosis@users.noreply.github.com> | 2018-10-07 22:46:00 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-07 22:46:00 +0300 |
commit | 5470c4f46cbc00ee704ffee6bfae965412771ad3 (patch) | |
tree | f81ed7e5e3c0b2e46b706585b3d7ada7b26e4c36 | |
parent | 475022f41635ae0e42226f58ff9b346597d23f2e (diff) |
Quote db name in certain queries. (#13529)
-rw-r--r-- | core/Db/Schema/Mysql.php | 7 | ||||
-rw-r--r-- | tests/PHPUnit/Integration/DbHelperTest.php | 62 |
2 files changed, 67 insertions, 2 deletions
diff --git a/core/Db/Schema/Mysql.php b/core/Db/Schema/Mysql.php index 8e13855932..60048bc30d 100644 --- a/core/Db/Schema/Mysql.php +++ b/core/Db/Schema/Mysql.php @@ -396,7 +396,9 @@ class Mysql implements SchemaInterface $dbName = $this->getDbName(); } - Db::exec("CREATE DATABASE IF NOT EXISTS " . $dbName . " DEFAULT CHARACTER SET utf8"); + $dbName = str_replace('`', '', $dbName); + + Db::exec("CREATE DATABASE IF NOT EXISTS `" . $dbName . "` DEFAULT CHARACTER SET utf8"); } /** @@ -431,7 +433,8 @@ class Mysql implements SchemaInterface public function dropDatabase($dbName = null) { $dbName = $dbName ?: $this->getDbName(); - Db::exec("DROP DATABASE IF EXISTS " . $dbName); + $dbName = str_replace('`', '', $dbName); + Db::exec("DROP DATABASE IF EXISTS `" . $dbName . "`"); } /** diff --git a/tests/PHPUnit/Integration/DbHelperTest.php b/tests/PHPUnit/Integration/DbHelperTest.php new file mode 100644 index 0000000000..f8268f451c --- /dev/null +++ b/tests/PHPUnit/Integration/DbHelperTest.php @@ -0,0 +1,62 @@ +<?php +/** + * Piwik - free/libre analytics platform + * + * @link http://piwik.org + * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later + */ + +namespace Piwik\Tests\Integration; + +use Piwik\Db; +use Piwik\DbHelper; +use Piwik\Tests\Framework\TestCase\IntegrationTestCase; + +class DbHelperTest extends IntegrationTestCase +{ + public function setUp() + { + parent::setUp(); + + DbHelper::dropDatabase('newdb; create database anotherdb;'); + DbHelper::dropDatabase('testdb'); + } + + public function test_createDatabase_escapesInputProperly() + { + $dbName = 'newdb`; create database anotherdb;`'; + DbHelper::createDatabase($dbName); + + $this->assertDbExists($dbName); + $this->assertDbNotExists('anotherdb'); + } + + public function test_dropDatabase_escapesInputProperly() + { + DbHelper::createDatabase("testdb"); + $this->assertDbExists('testdb'); + + DbHelper::dropDatabase('testdb`; create database anotherdb;`'); + $this->assertDbExists('testdb'); + $this->assertDbNotExists('anotherdb'); + } + + private function assertDbExists($dbName) + { + $dbs = Db::fetchAll("SHOW DATABASES"); + $dbs = array_column($dbs, 'Database'); + $this->assertContains($this->cleanName($dbName), $dbs); + } + + private function assertDbNotExists($dbName) + { + $dbs = Db::fetchAll("SHOW DATABASES"); + $dbs = array_column($dbs, 'Database'); + $this->assertNotContains($this->cleanName($dbName), $dbs); + } + + private function cleanName($dbName) + { + return str_replace('`', '', $dbName); + } +} |