Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14071589
D19800.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D19800.diff
View Options
diff --git a/src/xsprintf/qsprintf.php b/src/xsprintf/qsprintf.php
--- a/src/xsprintf/qsprintf.php
+++ b/src/xsprintf/qsprintf.php
@@ -26,8 +26,10 @@
* Escapes a string for insertion into a pure binary column, ignoring
* tests for characters outside of the basic multilingual plane.
*
- * %C, %LC ("Column")
- * Escapes a column name or a list of column names.
+ * %C, %LC, %LK ("Column", "Key Column")
+ * Escapes a column name or a list of column names. The "%LK" variant
+ * escapes a list of key column specifications which may look like
+ * "column(32)".
*
* %K ("Comment")
* Escapes a comment.
@@ -36,6 +38,9 @@
* Injects a query fragment from a prior call to qsprintf(). The list
* variants join a list of query fragments with AND, OR, comma, or space.
*
+ * %Z ("Raw Query")
+ * Injects a raw, unescaped query fragment. Dangerous!
+ *
* %R ("Database and Table Reference")
* Behaves like "%T.%T" and prints a full reference to a table including
* the database. Accepts a AphrontDatabaseTableRefInterface.
@@ -176,6 +181,27 @@
foreach ($value as $k => $v) {
$value[$k] = $escaper->escapeColumnName($v);
}
+ $value = implode(', ', $value);
+ break;
+ case 'K': // ...key columns.
+ // This is like "%LC", but for escaping column lists passed to key
+ // specifications. These should be escaped as "`column`(123)". For
+ // example:
+ //
+ // ALTER TABLE `x` ADD KEY `y` (`u`(16), `v`(32));
+
+ foreach ($value as $k => $v) {
+ $matches = null;
+ if (preg_match('/\((\d+)\)\z/', $v, $matches)) {
+ $v = substr($v, 0, -(strlen($matches[1]) + 2));
+ $prefix_len = '('.((int)$matches[1]).')';
+ } else {
+ $prefix_len = '';
+ }
+
+ $value[$k] = $escaper->escapeColumnName($v).$prefix_len;
+ }
+
$value = implode(', ', $value);
break;
case 'Q':
@@ -258,6 +284,10 @@
$type = 's';
break;
+ case 'Z': // Raw Query Fragment
+ $type = 's';
+ break;
+
case '~': // Like Substring
case '>': // Like Prefix
case '<': // Like Suffix
@@ -337,6 +367,7 @@
case 'Ld':
case 'Ls':
case 'LC':
+ case 'LK':
case 'LB':
case 'Lf':
case 'LQ':
@@ -412,7 +443,16 @@
}
break;
+ case 'Z':
+ if (!is_string($value)) {
+ throw new AphrontParameterQueryException(
+ $query,
+ pht('Value for "%%Z" conversion should be a raw string.'));
+ }
+ break;
+
case 'LC':
+ case 'LK':
case 'T':
case 'C':
if (!is_string($value)) {
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Nov 21, 5:54 PM (29 m, 25 s)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6771429
Default Alt Text
D19800.diff (2 KB)
Attached To
Mode
D19800: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf()
Attached
Detach File
Event Timeline
Log In to Comment