Commit 925b2587 authored by Benjamin Eberlei's avatar Benjamin Eberlei

DBAL-149 - Fixed security issue with quoteIdentifier()

parent eab4e5a0
......@@ -1166,7 +1166,7 @@ abstract class AbstractPlatform
{
$c = $this->getIdentifierQuoteCharacter();
return $c . $str . $c;
return $c . str_replace($c, $c.$c, $str) . $c;
}
/**
......
......@@ -792,6 +792,6 @@ class MsSqlPlatform extends AbstractPlatform
*/
public function quoteIdentifier($str)
{
return "[" . $str . "]";
return "[" . str_replace("]", "][", $str) . "]";
}
}
......@@ -16,6 +16,16 @@ abstract class AbstractPlatformTestCase extends \Doctrine\Tests\DbalTestCase
$this->_platform = $this->createPlatform();
}
public function testQuoteIdentifier()
{
if ($this->_platform->getName() == "mssql") {
$this->markTestSkipped('Not working this way on mssql.');
}
$c = $this->_platform->getIdentifierQuoteCharacter();
$this->assertEquals(str_repeat($c, 4), $this->_platform->quoteIdentifier($c));
}
public function testGetInvalidtForeignKeyReferentialActionSQL()
{
$this->setExpectedException('InvalidArgumentException');
......
......@@ -171,5 +171,8 @@ class MsSqlPlatformTest extends AbstractPlatformTestCase
$this->assertEquals('SELECT TOP 10 * FROM user ORDER BY username DESC', $sql);
}
public function testQuoteIdentifier()
{
$this->assertEquals('[fo][o]', $this->_platform->quoteIdentifier('fo]o'));
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment