diff options
author | Kamil Tekiela <tekiela246@gmail.com> | 2022-11-03 01:16:41 +0300 |
---|---|---|
committer | William Desportes <williamdes@wdes.fr> | 2022-11-03 23:16:42 +0300 |
commit | b4e22b83d74531fb1285677884d29c1ea1fe581b (patch) | |
tree | f44d117b755014a16b009acea2c7c82d8294cd22 | |
parent | 296e6b62cef88d925d646eabb03ea7cb12a6c14b (diff) |
Fix import/export escaping
Signed-off-by: Kamil Tekiela <tekiela246@gmail.com>
-rw-r--r-- | libraries/classes/Controllers/Import/ImportController.php | 5 | ||||
-rw-r--r-- | libraries/classes/Plugins/Export/ExportSql.php | 17 | ||||
-rw-r--r-- | phpstan-baseline.neon | 5 | ||||
-rw-r--r-- | psalm-baseline.xml | 4 |
4 files changed, 16 insertions, 15 deletions
diff --git a/libraries/classes/Controllers/Import/ImportController.php b/libraries/classes/Controllers/Import/ImportController.php index e581172ba4..23b8547f1e 100644 --- a/libraries/classes/Controllers/Import/ImportController.php +++ b/libraries/classes/Controllers/Import/ImportController.php @@ -150,10 +150,9 @@ final class ImportController extends AbstractController // apply values for parameters if (! empty($_POST['parameterized']) && ! empty($_POST['parameters']) && is_array($_POST['parameters'])) { $parameters = $_POST['parameters']; - foreach ($parameters as $parameter => $replacement) { - $replacementValue = $this->dbi->escapeString($replacement); + foreach ($parameters as $parameter => $replacementValue) { if (! is_numeric($replacementValue)) { - $replacementValue = '\'' . $replacementValue . '\''; + $replacementValue = '\'' . $this->dbi->escapeString($replacementValue) . '\''; } $quoted = preg_quote($parameter, '/'); diff --git a/libraries/classes/Plugins/Export/ExportSql.php b/libraries/classes/Plugins/Export/ExportSql.php index 14546e49bc..fa3be1ff62 100644 --- a/libraries/classes/Plugins/Export/ExportSql.php +++ b/libraries/classes/Plugins/Export/ExportSql.php @@ -2403,23 +2403,20 @@ class ExportSql extends ExportPlugin } } elseif ($fieldsMeta[$j]->isMappedTypeBit) { // detection of 'bit' works only on mysqli extension - $values[] = "b'" . $dbi->escapeString( - Util::printableBitValue( - (int) $row[$j], - (int) $fieldsMeta[$j]->length - ) - ) - . "'"; + $values[] = "b'" . Util::printableBitValue( + (int) $row[$j], + (int) $fieldsMeta[$j]->length + ) . "'"; } elseif ($fieldsMeta[$j]->isMappedTypeGeometry) { // export GIS types as hex $values[] = '0x' . bin2hex($row[$j]); } elseif (! empty($GLOBALS['exporting_metadata']) && $row[$j] === '@LAST_PAGE') { $values[] = '@LAST_PAGE'; + } elseif ($row[$j] === '') { + $values[] = "''"; } else { // something else -> treat as a string - $values[] = '\'' - . $dbi->escapeString($row[$j]) - . '\''; + $values[] = '\'' . $dbi->escapeString($row[$j]) . '\''; } } diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon index 9d17c4205a..00e940af5d 100644 --- a/phpstan-baseline.neon +++ b/phpstan-baseline.neon @@ -1321,6 +1321,11 @@ parameters: path: libraries/classes/Controllers/Import/ImportController.php - + message: "#^Parameter \\#2 \\$replace of function preg_replace expects array\\|string, float\\|int\\|string\\|string given\\.$#" + count: 1 + path: libraries/classes/Controllers/Import/ImportController.php + + - message: "#^Parameter \\#2 \\$size of method PhpMyAdmin\\\\Import\\:\\:getNextChunk\\(\\) expects int, float\\|int given\\.$#" count: 1 path: libraries/classes/Controllers/Import/ImportController.php diff --git a/psalm-baseline.xml b/psalm-baseline.xml index a32d986483..67911733ee 100644 --- a/psalm-baseline.xml +++ b/psalm-baseline.xml @@ -2206,7 +2206,7 @@ <code>$import_type</code> <code>$local_import_file</code> <code>$parameter</code> - <code>$replacement</code> + <code>$replacementValue</code> <code>$skip < $read_limit ? $skip : $read_limit</code> </PossiblyInvalidArgument> <PossiblyInvalidCast occurrences="7"> @@ -2216,7 +2216,7 @@ <code>$_POST['sql_query']</code> <code>$format</code> <code>$local_import_file</code> - <code>$replacement</code> + <code>$replacementValue</code> </PossiblyInvalidCast> <PossiblyInvalidOperand occurrences="3"> <code>$charset_of_file</code> |