Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.escapeReserved function cannot escape sql like below:
UPDATE {users} SET uid=uid - uid WHERE (name = :db_condition_placeholder_0)
It returns UPDATE "USERS" SET "UID"=uid - "UID" WHERE (name = :db_condition_placeholder_0).
It should be UPDATE "USERS" SET "UID"="UID" - "UID" WHERE (name = :db_condition_placeholder_0).
The sql comes from file of "DRUPAL_ROOT./modules/system/system.admin.inc" line 2296 in Drupal 7.12, It excuted when you click "admin/reports/status".
I made some change and works for me:
private function escapeReserved($query)
{
$ddl= !((boolean)preg_match('/^(select|insert|update|delete)/i',$query));
$search = array ("/({)(\w+)(})/e", // escapes all table names
"/({L#)([0-9]+)(})/e", // escapes long id
"/(\:)(uid|session|file|access|mode|comment|desc|size|start|end)/e",
"/(<uid>|<session>|<file>|<access>|<mode>|<comment>|<desc>|<size>".($ddl?'':'|<date>').")/e",
'/([\(\.\s,\=])(uid|session|file|access|mode|comment|desc|size'.($ddl?'':'|date').')([,\s\=)])/e',
'/([\(\.\s,])(uid|session|file|access|mode|comment|desc|size'.($ddl?'':'|date').')$/e',
'/(\=)(uid)(\s)/e');
$replace = array ("'\"\\1'.strtoupper('\\2').'\\3\"'",
"'\"\\1'.strtoupper('\\2').'\\3\"'",
"'\\1'.'db_'.'\\2'.'\\3'",
"strtoupper('\"\\1\"')",
"'\\1'.strtoupper('\"\\2\"').'\\3'",
"'\\1'.strtoupper('\"\\2\"')",
"'\\1'.strtoupper('\"\\2\"')");
return preg_replace($search, $replace, $query);
}
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | 1446598-fix-escapeReservedExpression.patch | 2.35 KB | brianV |
| #1 | 1446598-fix-escapeReservedExpression-no-whitespace-fixes.patch | 1.23 KB | brianV |
Comments
Comment #1
brianV CreditAttribution: brianV commentedRolled this into two patches. The -no-whitespace-fixes file includes just the updates to the regex itself. The second makes the whitespace line up and look consistent with the rest of the file.
So the -no-whitespace-fixes patch can be used to actually see what the regex changes were. The other is the one that I actually want to have committed.
I tested this fix, and it works exactly as described.
Comment #2
brianV CreditAttribution: brianV commentedupdated title to something more descriptive.