From: Daniel Friesen <dantman@users.mediawiki.org>
Date: Thu, 8 May 2008 09:24:24 +0000 (+0000)
Subject: Make tableName test for words like JOIN or ON which signal that we are actually looki... 
X-Git-Tag: 1.31.0-rc.0~47826
X-Git-Url: http://git.cyclocoop.org/%28?a=commitdiff_plain;h=007ea4364b356058af98cb3e54e93513b85a9c94;p=lhc%2Fweb%2Fwiklou.git

Make tableName test for words like JOIN or ON which signal that we are actually looking at a SQL query thrown into the tableName because someone used the simple handlers in ways they really should not be.
---

diff --git a/includes/Database.php b/includes/Database.php
index a63f0a19ab..c8711374d9 100644
--- a/includes/Database.php
+++ b/includes/Database.php
@@ -1373,6 +1373,15 @@ class Database {
 		# to query a database table with a dot in the name.
 		if ( $name[0] == '`' && substr( $name, -1, 1 ) == '`' ) return $name;
 		
+		# Lets test for any bits of text that should never show up in a table
+		# name. Basically anything like JOIN or ON which are actually part of
+		# SQL queries, but may end up inside of the table value to combine
+		# sql. Such as how the API is doing.
+		# Note that we use a whitespace test rather than a \b test to avoid
+		# any remote case where a word like on may be inside of a table name
+		# surrounded by symbols which may be considered word breaks.
+		if( preg_match( '/(^|\s)(JOIN|ON)(\s|$)/i', $name ) !== false ) return $name;
+		
 		# Split database and table into proper variables.
 		# We reverse the explode so that database.table and table both output
 		# the correct table.