From 496972bf95e2ddbf01cb5e50a6a594615744d942 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 12 Mar 2015 09:44:31 +0100
Subject: Fix backtick character handling in sql queries (#1490312)

---
 tests/Framework/DB.php | 108 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 97 insertions(+), 11 deletions(-)

(limited to 'tests')

diff --git a/tests/Framework/DB.php b/tests/Framework/DB.php
index 42020f47a..04897bb90 100644
--- a/tests/Framework/DB.php
+++ b/tests/Framework/DB.php
@@ -25,6 +25,8 @@ class Framework_DB extends PHPUnit_Framework_TestCase
     {
         $db = new rcube_db_test_wrapper('test');
         $db->set_option('table_prefix', 'prefix_');
+        $db->set_option('identifier_start', '`');
+        $db->set_option('identifier_end', '`');
 
         $script = implode("\n", array(
             "CREATE TABLE `xxx` (test int, INDEX xxx (test));",
@@ -38,26 +40,88 @@ class Framework_DB extends PHPUnit_Framework_TestCase
             "SELECT test FROM xxx;",
         ));
         $output = implode("\n", array(
-            "CREATE TABLE `prefix_xxx` (test int, INDEX prefix_xxx (test));",
-            "ALTER TABLE `prefix_xxx` CHANGE test test int;",
-            "TRUNCATE prefix_xxx;",
-            "DROP TABLE `prefix_vvv`;",
+            "CREATE TABLE `prefix_xxx` (test int, INDEX prefix_xxx (test))",
+            "ALTER TABLE `prefix_xxx` CHANGE test test int",
+            "TRUNCATE prefix_xxx",
+            "DROP TABLE `prefix_vvv`",
             "CREATE TABLE `prefix_i` (test int CONSTRAINT `prefix_iii`
-                FOREIGN KEY (`test`) REFERENCES `prefix_xxx`(`test`) ON DELETE CASCADE ON UPDATE CASCADE);",
-            "INSERT INTO prefix_xxx test = 1;",
-            "SELECT test FROM prefix_xxx;",
+                FOREIGN KEY (`test`) REFERENCES `prefix_xxx`(`test`) ON DELETE CASCADE ON UPDATE CASCADE)",
+            "INSERT INTO prefix_xxx test = 1",
+            "SELECT test FROM prefix_xxx",
         ));
 
         $result = $db->exec_script($script);
-        $out    = '';
+        $out    = array();
 
         foreach ($db->queries as $q) {
-            $out[] = $q[0];
+            $out[] = $q;
         }
 
         $this->assertTrue($result, "Execute SQL script (result)");
         $this->assertSame(implode("\n", $out), $output, "Execute SQL script (content)");
     }
+
+    /**
+     * Test query parsing and arguments quoting
+     */
+    function test_query_parsing()
+    {
+        $db = new rcube_db_test_wrapper('test');
+        $db->set_option('identifier_start', '`');
+        $db->set_option('identifier_end', '`');
+
+        $db->query("SELECT ?", "test`test");
+        $db->query("SELECT ?", "test?test");
+        $db->query("SELECT ?", "test``test");
+        $db->query("SELECT ?", "test??test");
+        $db->query("SELECT `test` WHERE 'test``test'");
+        $db->query("SELECT `test` WHERE 'test??test'");
+        $db->query("SELECT `test` WHERE `test` = ?", "`te``st`");
+        $db->query("SELECT `test` WHERE `test` = ?", "?test?");
+        $db->query("SELECT `test` WHERE `test` = ?", "????");
+
+        $expected = implode("\n", array(
+            "SELECT 'test`test'",
+            "SELECT 'test?test'",
+            "SELECT 'test``test'",
+            "SELECT 'test??test'",
+            "SELECT `test` WHERE 'test`test'",
+            "SELECT `test` WHERE 'test?test'",
+            "SELECT `test` WHERE `test` = '`te``st`'",
+            "SELECT `test` WHERE `test` = '?test?'",
+            "SELECT `test` WHERE `test` = '????'",
+        ));
+
+       $this->assertSame($expected, implode("\n", $db->queries), "Query parsing [1]");
+
+        $db->set_option('identifier_start', '"');
+        $db->set_option('identifier_end', '"');
+        $db->queries = array();
+
+        $db->query("SELECT ?", "test`test");
+        $db->query("SELECT ?", "test?test");
+        $db->query("SELECT ?", "test``test");
+        $db->query("SELECT ?", "test??test");
+        $db->query("SELECT `test` WHERE 'test``test'");
+        $db->query("SELECT `test` WHERE 'test??test'");
+        $db->query("SELECT `test` WHERE `test` = ?", "`te``st`");
+        $db->query("SELECT `test` WHERE `test` = ?", "?test?");
+        $db->query("SELECT `test` WHERE `test` = ?", "????");
+
+        $expected = implode("\n", array(
+            "SELECT 'test`test'",
+            "SELECT 'test?test'",
+            "SELECT 'test``test'",
+            "SELECT 'test??test'",
+            "SELECT \"test\" WHERE 'test`test'",
+            "SELECT \"test\" WHERE 'test?test'",
+            "SELECT \"test\" WHERE \"test\" = '`te``st`'",
+            "SELECT \"test\" WHERE \"test\" = '?test?'",
+            "SELECT \"test\" WHERE \"test\" = '????'",
+        ));
+
+       $this->assertSame($expected, implode("\n", $db->queries), "Query parsing [2]");
+    }
 }
 
 /**
@@ -67,8 +131,30 @@ class rcube_db_test_wrapper extends rcube_db
 {
     public $queries = array();
 
-    protected function _query($query, $offset, $numrows, $params)
+    protected function query_execute($query)
+    {
+        $this->queries[] = $query;
+    }
+
+    public function db_connect($mode, $force = false)
+    {
+        $this->dbh = new rcube_db_test_dbh();
+    }
+
+    public function is_connected()
+    {
+        return true;
+    }
+
+    protected function debug($data)
+    {
+    }
+}
+
+class rcube_db_test_dbh
+{
+    public function quote($data, $type)
     {
-        $this->queries[] = array(trim($query), $offset, $numrows, $params);
+        return "'$data'";
     }
 }
-- 
cgit v1.2.3