RyadPasha
commented
2 years ago The rawAddPrefix function has many bugs, first thing is that only the first table in the query gets prefixed, (so if using query with a JOIN clause for example only first table will get prefixed), also a lot of statements such as (DROP TABLE, TRUNCATE TABLE, CREATE TABLE, LOCK TABLE, FLASHBACK TABLE, ALTER TABLE, ANALYZE TABLE, DESCRIBE and EXPLAIN) are not supported ..
You can fix all these bug by replacing that function with mines:
/**
* Prefix add raw SQL query.
*
* @author Mohamed Riyad <https://github.com/RyadPasha>
* @param string $query User-provided query to execute.
* @return string Contains the returned rows from the query.
*/
public function rawAddPrefix($query){
$query = preg_replace(['/[\r\n]+/', '/\s+/'], ' ', $query); // Replace multiple line breaks/spaces with a single space
if (preg_match_all("/(FROM|INTO|UPDATE|JOIN|DROP TABLE|TRUNCATE TABLE|CREATE TABLE|LOCK TABLE|FLASHBACK TABLE|ALTER TABLE|ANALYZE TABLE|DESCRIBE|EXPLAIN) [\\'\\´\\`]?(?!SELECT|DELETE|INSERT|REPLACE|UPDATE)([a-zA-Z0-9_-]+)[\\'\\´\\`]?/i", $query, $matches)) {
for ($i = 0; $i < count($matches[0]); $i++) {
list($from_table, $from, $table) = $matches;
$query = str_replace($table[$i], self::$prefix.$table[$i], $query);
}
}
return $query;
}
Not possible to use DESCRIBE keyword within rawQuery. PHP returns an error about an undefined index $table[0].