apply auto-quoting to order statement, if not already quoted, #60

ikkez · Feb 22, 2018 · ec77dd9 · ec77dd9
1 parent 6c02535
commit ec77dd9
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/lib/db/cortex.php b/lib/db/cortex.php
@@ -850,7 +850,7 @@ function($str) use($db) {
 			}
 		}
 		if ($options) {
-			$options = $this->queryParser->prepareOptions($options,$this->dbsType);
+			$options = $this->queryParser->prepareOptions($options,$this->dbsType,$this->db);
 			if ($count)
 				unset($options['order']);
 		}
@@ -2587,9 +2587,10 @@ protected function _likeValueToRegEx($var) {
 	 *
 	 * @param array $options
 	 * @param string $engine
+	 * @param object $db
 	 * @return array|null
 	 */
-	public function prepareOptions($options, $engine) {
+	public function prepareOptions($options, $engine, $db) {
 		if (empty($options) || !is_array($options))
 			return null;
 		switch ($engine) {
@@ -2619,6 +2620,18 @@ public function prepareOptions($options, $engine) {
 					$options['group']['initial']=$keys;
 				}
 				break;
+			case 'sql':
+				$char=substr($db->quotekey(''),0,1);
+				if (array_key_exists('order', $options) &&
+					FALSE===strpos($options['order'],$char))
+					$options['order']=preg_replace_callback(
+						'/(\w+\h?\(|(?:DESC|ASC)(?:\s+\w+)*)|(\b\d?\w(?:[\w\-.]+))/i',
+						function($match) use($db) {
+							if (!isset($match[2]))
+								return $match[1];
+							return $db->quotekey($match[2]);
+						}, $options['order']);
+				break;
 		}
 		return $options;
 	}