+--------------------------------------------------------------------+
| CiviCRM version 4.7 |
+--------------------------------------------------------------------+
- | Copyright CiviCRM LLC (c) 2004-2016 |
+ | Copyright CiviCRM LLC (c) 2004-2017 |
+--------------------------------------------------------------------+
| This file is a part of CiviCRM. |
| |
/**
*
* @package CRM
- * @copyright CiviCRM LLC (c) 2004-2016
+ * @copyright CiviCRM LLC (c) 2004-2017
*/
require_once 'HTML/QuickForm/Rule/Email.php';
return FALSE;
}
- // Ensure the string contains only valid characters:
- // For column names: alphanumeric and underscores
- // For aliases: backticks, alphanumeric hyphens and underscores.
- if (!preg_match('/^((`[\w-]{1,64}`|[\w-]{1,64})\.)?(`[\w-]{1,64}`|[\w-]{1,64})$/i', $str)) {
+ // Ensure $str conforms to expected format. Not a complete expression of
+ // what MySQL permits; this should permit the formats CiviCRM generates.
+ //
+ // * Table name prefix is optional.
+ // * Table & column names & aliases:
+ // * Composed of alphanumeric chars, underscore and hyphens.
+ // * Maximum length of 64 chars.
+ // * Optionally surrounded by backticks, in which case spaces also OK.
+ if (!preg_match('/^((`[\w- ]{1,64}`|[\w-]{1,64})\.)?(`[\w- ]{1,64}`|[\w-]{1,64})$/i', $str)) {
return FALSE;
}
* @return bool
*/
public static function mysqlOrderBy($str) {
+ $matches = array();
+ // Using the field function in order by is valid.
+ // Look for a string like field(contribution_status_id,3,4,6).
+ // or field(civicrm_contribution.contribution_status_id,3,4,6)
+ if (preg_match('/field\([a-z_.]+,[0-9,]+\)/', $str, $matches)) {
+ // We have checked these. Remove them as they will fail the next lot.
+ // Our check currently only permits numbers & no back ticks. If we get a
+ // need for strings or backticks we can add.
+ $str = str_replace($matches, '', $str);
+ }
+ $str = trim($str);
+ if (!empty($matches) && empty($str)) {
+ // nothing left to check after the field check.
+ return TRUE;
+ }
// Making a regex for a comma separated list is quite hard and not readable
// at all, so we split and loop over.
$parts = explode(',', $str);