From b794b580d092c27265db3b6cfe04313126832d91 Mon Sep 17 00:00:00 2001 From: Chris Burgess Date: Fri, 22 Apr 2016 17:48:37 +1200 Subject: [PATCH] CRM-17983, CRM-18401. Input validation. --- CRM/Utils/Rule.php | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/CRM/Utils/Rule.php b/CRM/Utils/Rule.php index d73785fdba..917e228ab6 100644 --- a/CRM/Utils/Rule.php +++ b/CRM/Utils/Rule.php @@ -92,7 +92,7 @@ class CRM_Utils_Rule { * * @return bool */ - public static function MysqlColumnName($str) { + public static function mysqlColumnName($str) { // check the length. // This check can be incorrect for the . format, which can be // a problem. @@ -104,21 +104,23 @@ class CRM_Utils_Rule { } /** + * Validate an acceptable column name for sorting results. + * * @param $str * * @return bool */ - public static function MysqlColumnNameStrict($str) { - // check the length. + public static function mysqlColumnNameStrict($str) { + // Check the length. if (empty($str) || strlen($str) > 64) { return FALSE; } - // make sure it only contains valid characters (alphanumeric and underscores) - // This check doesn't support the
. format, which can be - // a problem. - // @todo : check with the standards (http://dev.mysql.com/doc/refman/5.5/en/identifiers.html) - if (!preg_match('/^[\w_]+$/i', $str)) { + // Make sure it only contains valid characters (alphanumeric and underscores). + // + // MySQL permits column names that don't match this (eg containing spaces), + // but CiviCRM won't create those ... + if (!preg_match('/^[\w_]+(\.[\w_]+)?$/i', $str)) { return FALSE; } @@ -126,11 +128,14 @@ class CRM_Utils_Rule { } /** - * @param $str + * Validate that a string is ASC or DESC. + * + * Empty string should be treated as invalid and ignored => default = ASC. * + * @param $str * @return bool */ - public static function MysqlOrderByDirection($str) { + public static function mysqlOrderByDirection($str) { if (!preg_match('/^(asc|desc)$/i', $str)) { return FALSE; } -- 2.25.1