Make column quoting more robust for greater security when passing an array of user input into update methods.

taylorotwell · taylorotwell · commit c942a1bc3099 · 2014-05-20T08:21:41.000-05:00
diff --git a/src/Illuminate/Database/Grammar.php b/src/Illuminate/Database/Grammar.php
@@ -83,7 +83,9 @@ public function wrap($value)
 	 */
 	protected function wrapValue($value)
 	{
-		return $value !== '*' ? sprintf($this->wrapper, $value) : $value;
+		if ($value === '*') return $value;
+
+		return '"'.str_replace('"', '""', $value).'"';
 	}
 
 	/**
diff --git a/src/Illuminate/Database/Query/Grammars/Grammar.php b/src/Illuminate/Database/Query/Grammars/Grammar.php
@@ -5,13 +5,6 @@
 
 class Grammar extends BaseGrammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '"%s"';
-
 	/**
 	 * The components that make up a select clause.
 	 *
diff --git a/src/Illuminate/Database/Query/Grammars/MySqlGrammar.php b/src/Illuminate/Database/Query/Grammars/MySqlGrammar.php
@@ -4,13 +4,6 @@
 
 class MySqlGrammar extends Grammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '`%s`';
-
 	/**
 	 * The components that make up a select clause.
 	 *
@@ -99,4 +92,17 @@ public function compileUpdate(Builder $query, $values)
 		return rtrim($sql);
 	}
 
+	/**
+	 * Wrap a single string in keyword identifiers.
+	 *
+	 * @param  string  $value
+	 * @return string
+	 */
+	protected function wrapValue($value)
+	{
+		if ($value === '*') return $value;
+
+		return '`'.str_replace('`', '``', $value).'`';
+	}
+
 }
diff --git a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
@@ -15,13 +15,6 @@ class SqlServerGrammar extends Grammar {
 		'&', '&=', '|', '|=', '^', '^=',
 	);
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '[%s]';
-
 	/**
 	 * Compile a select query into SQL.
 	 *
@@ -217,4 +210,17 @@ public function getDateFormat()
 		return 'Y-m-d H:i:s.000';
 	}
 
+	/**
+	 * Wrap a single string in keyword identifiers.
+	 *
+	 * @param  string  $value
+	 * @return string
+	 */
+	protected function wrapValue($value)
+	{
+		if ($value === '*') return $value;
+
+		return '['.str_replace(']', ']]', $value).']';
+	}
+
 }
diff --git a/src/Illuminate/Database/Schema/Grammars/MySqlGrammar.php b/src/Illuminate/Database/Schema/Grammars/MySqlGrammar.php
@@ -6,13 +6,6 @@
 
 class MySqlGrammar extends Grammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '`%s`';
-
 	/**
 	 * The possible column modifiers.
 	 *
@@ -574,4 +567,17 @@ protected function modifyAfter(Blueprint $blueprint, Fluent $column)
 		}
 	}
 
+	/**
+	 * Wrap a single string in keyword identifiers.
+	 *
+	 * @param  string  $value
+	 * @return string
+	 */
+	protected function wrapValue($value)
+	{
+		if ($value === '*') return $value;
+
+		return '`'.str_replace('`', '``', $value).'`';
+	}
+
 }
diff --git a/src/Illuminate/Database/Schema/Grammars/PostgresGrammar.php b/src/Illuminate/Database/Schema/Grammars/PostgresGrammar.php
@@ -5,13 +5,6 @@
 
 class PostgresGrammar extends Grammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '"%s"';
-
 	/**
 	 * The possible column modifiers.
 	 *
diff --git a/src/Illuminate/Database/Schema/Grammars/SQLiteGrammar.php b/src/Illuminate/Database/Schema/Grammars/SQLiteGrammar.php
@@ -6,13 +6,6 @@
 
 class SQLiteGrammar extends Grammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '"%s"';
-
 	/**
 	 * The possible column modifiers.
 	 *
diff --git a/src/Illuminate/Database/Schema/Grammars/SqlServerGrammar.php b/src/Illuminate/Database/Schema/Grammars/SqlServerGrammar.php
@@ -5,13 +5,6 @@
 
 class SqlServerGrammar extends Grammar {
 
-	/**
-	 * The keyword identifier wrapper format.
-	 *
-	 * @var string
-	 */
-	protected $wrapper = '"%s"';
-
 	/**
 	 * The possible column modifiers.
 	 *
diff --git a/src/Illuminate/Foundation/changes.json b/src/Illuminate/Foundation/changes.json
@@ -104,7 +104,8 @@
 		{"message": "Added 'Auth::id' method to just get the authenticate user ID from the session / recaller cookie.", "backport": null},
 		{"message": "New 'Input::exists' function for checking for the mere presence of input items.", "backport": null},
 		{"message": "New system for invalidating remember me cookies on logout.", "backport": null},
-		{"message": "Iron queue now accepts ssl_verifypeer configuration option.", "backport": null}
+		{"message": "Iron queue now accepts ssl_verifypeer configuration option.", "backport": null},
+		{"message": "Make column quoting more robust for greater security when passing an array of user input into update methods.", "backport": null}
 	],
 	"4.0.*": [
 		{"message": "Added implode method to query builder and Collection class.", "backport": null},
diff --git a/tests/Database/DatabaseQueryBuilderTest.php b/tests/Database/DatabaseQueryBuilderTest.php
@@ -20,6 +20,14 @@ public function testBasicSelect()
 	}
 
 
+	public function testBasicTableWrappingProtectsQuotationMarks()
+	{
+		$builder = $this->getBuilder();
+		$builder->select('*')->from('some"table');
+		$this->assertEquals('select * from "some""table"', $builder->toSql());
+	}
+
+
 	public function testAddingSelects()
 	{
 		$builder = $this->getBuilder();
@@ -127,6 +135,14 @@ public function testBasicWheres()
 	}
 
 
+	public function testMySqlWrappingProtectsQuotationMarks()
+	{
+		$builder = $this->getMySqlBuilder();
+		$builder->select('*')->From('some`table');
+		$this->assertEquals('select * from `some``table`', $builder->toSql());
+	}
+
+
 	public function testWhereDayMySql()
 	{
 		$builder = $this->getMySqlBuilder();

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,9 @@ public function wrap($value)`
`83`	`83`	`*/`
`84`	`84`	`protected function wrapValue($value)`
`85`	`85`	`{`
`86`		`- return $value !== '*' ? sprintf($this->wrapper, $value) : $value;`
	`86`	`+ if ($value === '*') return $value;`
	`87`	`+`
	`88`	`+ return '"'.str_replace('"', '""', $value).'"';`
`87`	`89`	`}`
`88`	`90`
`89`	`91`	`/**`