Changeset View
Changeset View
Standalone View
Standalone View
src/xsprintf/qsprintf.php
Show First 20 Lines • Show All 228 Lines • ▼ Show 20 Lines | switch ($type) { | ||||
$type = 's'; | $type = 's'; | ||||
break; | break; | ||||
case 'K': // Komment | case 'K': // Komment | ||||
$value = $escaper->escapeMultilineComment($value); | $value = $escaper->escapeMultilineComment($value); | ||||
$type = 's'; | $type = 's'; | ||||
break; | break; | ||||
case 'R': // Database + Table Reference | |||||
$database_name = $value->getAphrontRefDatabaseName(); | |||||
$database_name = $escaper->escapeColumnName($database_name); | |||||
$table_name = $value->getAphrontRefTableName(); | |||||
$table_name = $escaper->escapeColumnName($table_name); | |||||
amckinley: I'm assuming it's fine to use `escapeColumnName()` on DB and table names? | |||||
$value = $database_name.'.'.$table_name; | |||||
$type = 's'; | |||||
break; | |||||
default: | default: | ||||
throw new XsprintfUnknownConversionException($type); | throw new XsprintfUnknownConversionException($type); | ||||
} | } | ||||
} | } | ||||
if ($prefix) { | if ($prefix) { | ||||
$value = $prefix.$value; | $value = $prefix.$value; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 62 Lines • ▼ Show 20 Lines | switch ($type) { | ||||
case 'K': | case 'K': | ||||
if (!is_null($value) && !is_scalar($value)) { | if (!is_null($value) && !is_scalar($value)) { | ||||
throw new AphrontParameterQueryException( | throw new AphrontParameterQueryException( | ||||
$query, | $query, | ||||
pht('Expected a scalar or null for %%%s conversion.', $type)); | pht('Expected a scalar or null for %%%s conversion.', $type)); | ||||
} | } | ||||
break; | break; | ||||
case 'R': | |||||
if (!($value instanceof AphrontDatabaseTableRefInterface)) { | |||||
throw new AphrontParameterQueryException( | |||||
pht( | |||||
'Parameter to "%s" conversion in "qsprintf(...)" is not an '. | |||||
'instance of AphrontDatabaseTableRefInterface.', | |||||
'%R')); | |||||
} | |||||
break; | |||||
default: | default: | ||||
throw new XsprintfUnknownConversionException($type); | throw new XsprintfUnknownConversionException($type); | ||||
} | } | ||||
} | } |
I'm assuming it's fine to use escapeColumnName() on DB and table names?