From 658bde6f0614d1d6c3c190ba48b344995cb8a66c Mon Sep 17 00:00:00 2001 From: Janette Day Date: Fri, 30 Aug 2024 14:42:46 -0500 Subject: [PATCH] Split off sanitize to a separate method --- modules/common/src/Storage/SelectFactory.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/common/src/Storage/SelectFactory.php b/modules/common/src/Storage/SelectFactory.php index a83dc13ac4..75d1a294a0 100644 --- a/modules/common/src/Storage/SelectFactory.php +++ b/modules/common/src/Storage/SelectFactory.php @@ -104,10 +104,8 @@ private function setQueryProperties(Query $query) { private function addDateExpressions($db_query, $fields, $meta_data) { foreach ($meta_data as $definition) { // Confirm definition name is in the fields list. - $name = $this->dbQuery->escapeField($definition['name']); - $sanitizedName = $fields[$name]['field']; - if ($sanitizedName && $definition['type'] == 'date') { - $db_query->addExpression("DATE_FORMAT(" . $sanitizedName . ", '" . $definition['format'] . "')", $sanitizedName); + if ($fields[$definition['name']]['field'] && $definition['type'] == 'date') { + $db_query->addExpression("DATE_FORMAT(" . $definition['name'] . ", '" . $definition['format'] . "')", $definition['name']); } } } @@ -143,7 +141,7 @@ private function normalizeProperty(mixed $property): object { if (is_string($property) && self::safeProperty($property)) { return (object) [ "collection" => $this->alias, - "property" => $this->dbQuery->escapeField($property), + "property" => $property, "alias" => NULL, ]; } @@ -152,6 +150,10 @@ private function normalizeProperty(mixed $property): object { } // Throw exception if obviously unsafe property name. self::safeProperty($property->property); + return $property; + } + + private function sanitizeProperty(object $property) { // Sanitize the property name. $property->property = $this->dbQuery->escapeField($property->property); $property->alias = isset($property->alias) ? $this->connection->escapeAlias($property->alias) : NULL; @@ -254,6 +256,7 @@ private function normalizeOperand(mixed $operand) { */ private function propertyToString(mixed $property) { $property = $this->normalizeProperty($property); + $property = $this->sanitizeProperty($property); return "{$property->collection}.{$property->property}"; }