return '';
}
+ // See IDatabase::select for the docs for this function
public function select( $table, $vars, $conds = '', $fname = __METHOD__,
$options = [], $join_conds = [] ) {
$sql = $this->selectSQLText( $table, $vars, $conds, $fname, $options, $join_conds );
* themselves. Pass the canonical name to such functions. This is only needed
* when calling query() directly.
*
+ * @note This function does not sanitize user input. It is not safe to use
+ * this function to escape user input.
* @param string $name Database table name
* @param string $format One of:
* quoted - Automatically pass the table name through addIdentifierQuotes()
* Returns if the given identifier looks quoted or not according to
* the database convention for quoting identifiers .
*
+ * @note Do not use this to determine if untrusted input is safe.
+ * A malicious user can trick this function.
* @param string $name
* @return bool
*/
* for use in field names (e.g. a.user_name).
*
* All of the table names given here are automatically run through
- * IDatabase::tableName(), which causes the table prefix (if any) to be
+ * DatabaseBase::tableName(), which causes the table prefix (if any) to be
* added, and various other table name mappings to be performed.
*
+ * Do not use untrusted user input as a table name. Alias names should
+ * not have characters outside of the Basic multilingual plane.
*
* @param string|array $vars
*
* If an expression is given, care must be taken to ensure that it is
* DBMS-independent.
*
+ * Untrusted user input must not be passed to this parameter.
*
* @param string|array $conds
*
* - IDatabase::buildLike()
* - IDatabase::conditional()
*
+ * Untrusted user input is safe in the values of string keys, however untrusted
+ * input must not be used in the array key names or in the values of numeric keys.
+ * Escaping of untrusted input used in values of numeric keys should be done via
+ * IDatabase::addQuotes()
*
* @param string|array $options
*
*
* The key of the array contains the table name or alias. The value is an
* array with two elements, numbered 0 and 1. The first gives the type of
- * join, the second is an SQL fragment giving the join condition for that
- * table. For example:
+ * join, the second is the same as the $conds parameter. Thus it can be
+ * an SQL fragment, or an array where the string keys are equality and the
+ * numeric keys are SQL fragments all AND'd together. For example:
*
* array( 'page' => array( 'LEFT JOIN', 'page_latest=rev_id' ) )
*
* IDatabase::affectedRows().
*
* @param string $table Table name. This will be passed through
- * IDatabase::tableName().
+ * DatabaseBase::tableName().
* @param array $a Array of rows to insert
* @param string $fname Calling function name (use __METHOD__) for logs/profiling
* @param array $options Array of options
* UPDATE wrapper. Takes a condition array and a SET array.
*
* @param string $table Name of the table to UPDATE. This will be passed through
- * IDatabase::tableName().
+ * DatabaseBase::tableName().
* @param array $values An array of values to SET. For each array element,
* the key gives the field name, and the value gives the data to set
* that field to. The data will be quoted by IDatabase::addQuotes().
*
* @since 1.22
*
- * @param string $table Table name. This will be passed through IDatabase::tableName().
+ * @param string $table Table name. This will be passed through DatabaseBase::tableName().
* @param array $rows A single row or list of rows to insert
* @param array $uniqueIndexes List of single field names or field name tuples
* @param array $set An array of values to SET. For each array element, the