search

ThingEngineer / PHP-MySQLi-Database-Class

Wrapper for a PHP MySQL class, which utilizes MySQLi and prepared statements.
Other
3.3k stars 1.34k forks source link

rawQuery with rawAddPrefix - field name in the query, that containes the table name #1009

Open putaprost opened 1 year ago

putaprost commented 1 year ago

I don't think this can work. I found it best for me to remove rawAddPrefix function. I had a longer query, and the preg_match_all gave me two identical table names. In the loop it was run twice, so, for example i had, tbl_cars, and then tbl_tbl_cars. I tried to use array unique on the $table array, and it was all ok, everything looked ok. But then, i realized i had a field name in the query, that contained the table name, sometihng like cars_id. And even with array unique on the $table array, i was getting SELECT tbl_cars.tbl_cars_id instead of tbl_cars.cars_id. It can probably can be fixed, because i think you allways have a . (dot) before the column name, but i have no ideea what else can happend after this so i disabled this function.

If anyone needs it, it could work, if you are carefull and dont use the table name in any of the field names.

It's something on these lines,

 public function rawAddPrefix($query) {
   $query = str_replace(PHP_EOL, '', $query);
    $query = preg_replace('/\s+/', ' ', $query);
    preg_match_all("/(FROM|INTO|UPDATE|JOIN|DROP TABLE|TRUNCATE TABLE|CREATE TABLE|LOCK TABLE|FLASHBACK TABLE|ALTER TABLE|ANALYZE TABLE|DESCRIBE|EXPLAIN) [\\'\\´\\`]?(?!SELECT|DELETE|INSERT|REPLACE|UPDATE)([a-zA-Z0-9_-]+)[\\'\\´\\`]?/i", $query, $matches);
    $matches_unique = array_unique($matches[2]);

    foreach ($matches_unique as $table) {
        $query = str_replace($table, self::$prefix . $table, $query);
    }
    return $query;

}