X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dmes_infos.php?a=blobdiff_plain;f=includes%2Fdb%2FIDatabase.php;h=710efb2ca60b96dd66b0036b816cbf06ff8ceb0a;hb=62d543af640479a1ecbd4de69b3f975e509ca1ab;hp=78558612813748115c8a2fdd7da7c61a1fcd7fc8;hpb=4772f4452a79f1e79c1d5ab0850e60e8a5e79ec0;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/db/IDatabase.php b/includes/db/IDatabase.php index 7855861281..710efb2ca6 100644 --- a/includes/db/IDatabase.php +++ b/includes/db/IDatabase.php @@ -520,9 +520,11 @@ interface IDatabase { * for use in field names (e.g. a.user_name). * * All of the table names given here are automatically run through - * IDatabase::tableName(), which causes the table prefix (if any) to be + * DatabaseBase::tableName(), which causes the table prefix (if any) to be * added, and various other table name mappings to be performed. * + * Do not use untrusted user input as a table name. Alias names should + * not have characters outside of the Basic multilingual plane. * * @param string|array $vars * @@ -537,6 +539,7 @@ interface IDatabase { * If an expression is given, care must be taken to ensure that it is * DBMS-independent. * + * Untrusted user input must not be passed to this parameter. * * @param string|array $conds * @@ -563,6 +566,10 @@ interface IDatabase { * - IDatabase::buildLike() * - IDatabase::conditional() * + * Untrusted user input is safe in the values of string keys, however untrusted + * input must not be used in the array key names or in the values of numeric keys. + * Escaping of untrusted input used in values of numeric keys should be done via + * IDatabase::addQuotes() * * @param string|array $options * @@ -628,8 +635,9 @@ interface IDatabase { * * The key of the array contains the table name or alias. The value is an * array with two elements, numbered 0 and 1. The first gives the type of - * join, the second is an SQL fragment giving the join condition for that - * table. For example: + * join, the second is the same as the $conds parameter. Thus it can be + * an SQL fragment, or an array where the string keys are equality and the + * numeric keys are SQL fragments all AND'd together. For example: * * array( 'page' => array( 'LEFT JOIN', 'page_latest=rev_id' ) ) * @@ -794,7 +802,7 @@ interface IDatabase { * IDatabase::affectedRows(). * * @param string $table Table name. This will be passed through - * IDatabase::tableName(). + * DatabaseBase::tableName(). * @param array $a Array of rows to insert * @param string $fname Calling function name (use __METHOD__) for logs/profiling * @param array $options Array of options @@ -807,7 +815,7 @@ interface IDatabase { * UPDATE wrapper. Takes a condition array and a SET array. * * @param string $table Name of the table to UPDATE. This will be passed through - * IDatabase::tableName(). + * DatabaseBase::tableName(). * @param array $values An array of values to SET. For each array element, * the key gives the field name, and the value gives the data to set * that field to. The data will be quoted by IDatabase::addQuotes(). @@ -1020,7 +1028,7 @@ interface IDatabase { * * @since 1.22 * - * @param string $table Table name. This will be passed through IDatabase::tableName(). + * @param string $table Table name. This will be passed through DatabaseBase::tableName(). * @param array $rows A single row or list of rows to insert * @param array $uniqueIndexes List of single field names or field name tuples * @param array $set An array of values to SET. For each array element, the @@ -1183,14 +1191,13 @@ interface IDatabase { public function wasReadOnlyError(); /** - * Wait for the slave to catch up to a given master position. + * Wait for the slave to catch up to a given master position * * @param DBMasterPos $pos - * @param int $timeout The maximum number of seconds to wait for - * synchronisation - * @return int Zero if the slave was past that position already, + * @param int $timeout The maximum number of seconds to wait for synchronisation + * @return int|null Zero if the slave was past that position already, * greater than zero if we waited for some period of time, less than - * zero if we timed out. + * zero if it timed out, and null on error */ public function masterPosWait( DBMasterPos $pos, $timeout );