Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
escapeReserved function cannot escape sql like below:
UPDATE {users} SET uid=uid - uid WHERE (name = :db_condition_placeholder_0)
It returns UPDATE "USERS" SET "UID"=uid - "UID" WHERE (name = :db_condition_placeholder_0)
.
It should be UPDATE "USERS" SET "UID"="UID" - "UID" WHERE (name = :db_condition_placeholder_0)
.
The sql comes from file of "DRUPAL_ROOT./modules/system/system.admin.inc" line 2296 in Drupal 7.12, It excuted when you click "admin/reports/status".
I made some change and works for me:
private function escapeReserved($query)
{
$ddl= !((boolean)preg_match('/^(select|insert|update|delete)/i',$query));
$search = array ("/({)(\w+)(})/e", // escapes all table names
"/({L#)([0-9]+)(})/e", // escapes long id
"/(\:)(uid|session|file|access|mode|comment|desc|size|start|end)/e",
"/(<uid>|<session>|<file>|<access>|<mode>|<comment>|<desc>|<size>".($ddl?'':'|<date>').")/e",
'/([\(\.\s,\=])(uid|session|file|access|mode|comment|desc|size'.($ddl?'':'|date').')([,\s\=)])/e',
'/([\(\.\s,])(uid|session|file|access|mode|comment|desc|size'.($ddl?'':'|date').')$/e',
'/(\=)(uid)(\s)/e');
$replace = array ("'\"\\1'.strtoupper('\\2').'\\3\"'",
"'\"\\1'.strtoupper('\\2').'\\3\"'",
"'\\1'.'db_'.'\\2'.'\\3'",
"strtoupper('\"\\1\"')",
"'\\1'.strtoupper('\"\\2\"').'\\3'",
"'\\1'.strtoupper('\"\\2\"')",
"'\\1'.strtoupper('\"\\2\"')");
return preg_replace($search, $replace, $query);
}
Comment | File | Size | Author |
---|---|---|---|
#1 | 1446598-fix-escapeReservedExpression.patch | 2.35 KB | brianV |
#1 | 1446598-fix-escapeReservedExpression-no-whitespace-fixes.patch | 1.23 KB | brianV |
Comments
Comment #1
brianV CreditAttribution: brianV commentedRolled this into two patches. The -no-whitespace-fixes file includes just the updates to the regex itself. The second makes the whitespace line up and look consistent with the rest of the file.
So the -no-whitespace-fixes patch can be used to actually see what the regex changes were. The other is the one that I actually want to have committed.
I tested this fix, and it works exactly as described.
Comment #2
brianV CreditAttribution: brianV commentedupdated title to something more descriptive.