From 3da884dfbcd760b2f3f5ceb8fa2ed57f60efb0dc Mon Sep 17 00:00:00 2001 From: "J. King" Date: Thu, 12 Sep 2019 09:53:43 -0400 Subject: [PATCH] Don't embed ito SQL strings with question marks Fixes #175 --- lib/Database.php | 4 ++-- tests/cases/Database/TestDatabase.php | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/Database.php b/lib/Database.php index ec373162..b50f0409 100644 --- a/lib/Database.php +++ b/lib/Database.php @@ -165,7 +165,7 @@ class Database { // nulls are pointless to have continue; } elseif (is_string($v)) { - if (strlen($v) > self::LIMIT_SET_STRING_LENGTH) { + if (strlen($v) > self::LIMIT_SET_STRING_LENGTH || strpos($v, "?") !== false) { $clause[] = "?"; $params[] = $v; } else { @@ -205,7 +205,7 @@ class Database { assert(sizeof($cols) > 0, new Exception("arrayEmpty", "cols")); $embedSet = sizeof($terms) > ((int) (self::LIMIT_SET_SIZE / sizeof($cols))); foreach ($terms as $term) { - $embedTerm = ($embedSet && strlen($term) <= self::LIMIT_SET_STRING_LENGTH); + $embedTerm = ($embedSet && strlen($term) <= self::LIMIT_SET_STRING_LENGTH && strpos($term, "?") === false); $term = str_replace(["%", "_", "^"], ["^%", "^_", "^^"], $term); $term = "%$term%"; $term = $embedTerm ? $this->db->literalString($term) : $term; diff --git a/tests/cases/Database/TestDatabase.php b/tests/cases/Database/TestDatabase.php index 93f6f398..53376340 100644 --- a/tests/cases/Database/TestDatabase.php +++ b/tests/cases/Database/TestDatabase.php @@ -52,6 +52,7 @@ class TestDatabase extends \JKingWeb\Arsse\Test\AbstractTest { ["$stringList", [], array_merge($strings, [null]), "str"], ["$stringList,?", [$longString], array_merge($strings, [$longString]), "str"], ["$stringList,'A''s'", [], array_merge($strings, ["A's"]), "str"], + ["$stringList,?", ["???"], array_merge($strings, ["???"]), "str"], ["$params", $ints, $ints, "bool"], ]; } @@ -74,6 +75,8 @@ class TestDatabase extends \JKingWeb\Arsse\Test\AbstractTest { ["(".implode(" or ", $clause).")", [], $terms, ["test"], true], ["(".implode(" and ", $clause).")", [], $terms, ["test"], false], ["(".implode(" or ", $clause)." or test like ? escape '^')", ["%$longString%"], array_merge($terms, [$longString]), ["test"], true], + ["(".implode(" or ", $clause)." or test like ? escape '^')", ["%Eh?%"], array_merge($terms, ["Eh?"]), ["test"], true], + ["(".implode(" or ", $clause)." or test like ? escape '^')", ["%?%"], array_merge($terms, ["?"]), ["test"], true], ]; } }