Make tableName test for words like JOIN or ON which signal that we are actually looki...

author Daniel Friesen <dantman@users.mediawiki.org>

Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)

committer Daniel Friesen <dantman@users.mediawiki.org>

Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)
author Daniel Friesen <dantman@users.mediawiki.org>
Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)
committer Daniel Friesen <dantman@users.mediawiki.org>
Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)
diff --git a/includes/Database.php b/includes/Database.php

index a63f0a1..c871137 100644 (file)
--- a/includes/Database.php
+++ b/includes/Database.php
@@ -1373,6 +1373,15 @@ class Database {
                 # to query a database table with a dot in the name.
                 if ( $name[0] == '`' && substr( $name, -1, 1 ) == '`' ) return $name;
                 
+               # Lets test for any bits of text that should never show up in a table
+               # name. Basically anything like JOIN or ON which are actually part of
+               # SQL queries, but may end up inside of the table value to combine
+               # sql. Such as how the API is doing.
+               # Note that we use a whitespace test rather than a \b test to avoid
+               # any remote case where a word like on may be inside of a table name
+               # surrounded by symbols which may be considered word breaks.
+               if( preg_match( '/(^|\s)(JOIN|ON)(\s|$)/i', $name ) !== false ) return $name;
+               
                 # Split database and table into proper variables.
                 # We reverse the explode so that database.table and table both output
                 # the correct table.
author	Daniel Friesen <dantman@users.mediawiki.org>
	Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)
committer	Daniel Friesen <dantman@users.mediawiki.org>
	Thu, 8 May 2008 09:24:24 +0000 (09:24 +0000)