From ff2b58dab7460c6af4ec56766ef335f7bf915830 Mon Sep 17 00:00:00 2001 From: vrana Date: Thu, 5 Apr 2012 13:39:43 -0700 Subject: [PATCH] Fix MySQL column escaping Summary: MySQL doesn't treat `\` as escaping character in ##``##. This isn't probably SQL injection hole because I've found no calls of this method with user input. But better safe than sorry. See also [[http://dev.mysql.com/doc/refman/5.1/en/server-sql-mode.html#sqlmode_no_backslash_escapes | NO_BACKSLASH_ESCAPES]]. Test Plan: lang=sql SELECT `a\`b`; -- Throws: Syntax error near '`'. -- Should throw: Unknown column 'a`b'. Reviewers: epriestley Reviewed By: epriestley CC: aran Differential Revision: https://secure.phabricator.com/D2109 --- src/storage/connection/mysql/AphrontMySQLDatabaseConnection.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/storage/connection/mysql/AphrontMySQLDatabaseConnection.php b/src/storage/connection/mysql/AphrontMySQLDatabaseConnection.php index c6a2c007a1..a78f18bb5d 100644 --- a/src/storage/connection/mysql/AphrontMySQLDatabaseConnection.php +++ b/src/storage/connection/mysql/AphrontMySQLDatabaseConnection.php @@ -38,7 +38,7 @@ final class AphrontMySQLDatabaseConnection extends AphrontDatabaseConnection { } public function escapeColumnName($name) { - return '`'.str_replace('`', '\\`', $name).'`'; + return '`'.str_replace('`', '``', $name).'`'; } public function escapeMultilineComment($comment) {