Changeset View
Changeset View
Standalone View
Standalone View
src/xsprintf/qsprintf.php
| Show First 20 Lines • Show All 228 Lines • ▼ Show 20 Lines | switch ($type) { | ||||
| $type = 's'; | $type = 's'; | ||||
| break; | break; | ||||
| case 'K': // Komment | case 'K': // Komment | ||||
| $value = $escaper->escapeMultilineComment($value); | $value = $escaper->escapeMultilineComment($value); | ||||
| $type = 's'; | $type = 's'; | ||||
| break; | break; | ||||
| case 'R': // Database + Table Reference | |||||
| $database_name = $value->getAphrontRefDatabaseName(); | |||||
| $database_name = $escaper->escapeColumnName($database_name); | |||||
| $table_name = $value->getAphrontRefTableName(); | |||||
| $table_name = $escaper->escapeColumnName($table_name); | |||||
amckinley: I'm assuming it's fine to use `escapeColumnName()` on DB and table names? | |||||
| $value = $database_name.'.'.$table_name; | |||||
| $type = 's'; | |||||
| break; | |||||
| default: | default: | ||||
| throw new XsprintfUnknownConversionException($type); | throw new XsprintfUnknownConversionException($type); | ||||
| } | } | ||||
| } | } | ||||
| if ($prefix) { | if ($prefix) { | ||||
| $value = $prefix.$value; | $value = $prefix.$value; | ||||
| } | } | ||||
| ▲ Show 20 Lines • Show All 62 Lines • ▼ Show 20 Lines | switch ($type) { | ||||
| case 'K': | case 'K': | ||||
| if (!is_null($value) && !is_scalar($value)) { | if (!is_null($value) && !is_scalar($value)) { | ||||
| throw new AphrontParameterQueryException( | throw new AphrontParameterQueryException( | ||||
| $query, | $query, | ||||
| pht('Expected a scalar or null for %%%s conversion.', $type)); | pht('Expected a scalar or null for %%%s conversion.', $type)); | ||||
| } | } | ||||
| break; | break; | ||||
| case 'R': | |||||
| if (!($value instanceof AphrontDatabaseTableRefInterface)) { | |||||
| throw new AphrontParameterQueryException( | |||||
| pht( | |||||
| 'Parameter to "%s" conversion in "qsprintf(...)" is not an '. | |||||
| 'instance of AphrontDatabaseTableRefInterface.', | |||||
| '%R')); | |||||
| } | |||||
| break; | |||||
| default: | default: | ||||
| throw new XsprintfUnknownConversionException($type); | throw new XsprintfUnknownConversionException($type); | ||||
| } | } | ||||
| } | } | ||||
I'm assuming it's fine to use escapeColumnName() on DB and table names?