Issue #2232425 by danblack: Database Schema field/column default value is not...

Issue #2232425 by danblack: Database Schema field/column default value is not properly quoted via PDO::quote().

Issue #2232425 by danblack: Database Schema field/column default value is not...
Issue #2232425 by danblack: Database Schema field/column default value is not properly quoted via PDO::quote().
0231d353 · alexpott · ec9d52ba · 0231d353 · 0231d353 · 0231d353
Commit 0231d353 authored Apr 16, 2014 by alexpott
--- a/core/lib/Drupal/Core/Database/Driver/mysql/Schema.php
+++ b/core/lib/Drupal/Core/Database/Driver/mysql/Schema.php
@@ -169,7 +169,7 @@ protected function createFieldSql($name, $spec) {
    // $spec['default'] can be NULL, so we explicitly check for the key here.
    if (array_key_exists('default', $spec)) {
      if (is_string($spec['default'])) {
-        $spec['default'] = "'" . $spec['default'] . "'";
+        $spec['default'] = $this->connection->quote($spec['default']);
      }
      elseif (!isset($spec['default'])) {
        $spec['default'] = 'NULL';
@@ -406,7 +406,7 @@ public function fieldSetNoDefault($table, $field) {
  public function indexExists($table, $name) {
    // Returns one row for each column in the index. Result is string or FALSE.
    // Details at http://dev.mysql.com/doc/refman/5.0/en/show-index.html
-    $row = $this->connection->query('SHOW INDEX FROM {' . $table . "} WHERE key_name = '$name'")->fetchAssoc();
+    $row = $this->connection->query('SHOW INDEX FROM {' . $table . '} WHERE key_name = ' . $this->connection->quote($name))->fetchAssoc();
    return isset($row['Key_name']);
  }


--- a/core/lib/Drupal/Core/Database/Driver/pgsql/Schema.php
+++ b/core/lib/Drupal/Core/Database/Driver/pgsql/Schema.php
@@ -207,7 +207,7 @@ protected function createFieldSql($name, $spec) {
      }
    }
    if (isset($spec['default'])) {
-      $default = is_string($spec['default']) ? "'" . $spec['default'] . "'" : $spec['default'];
+      $default = is_string($spec['default']) ? $this->connection->quote($spec['default']) : $spec['default'];
      $sql .= " default $default";
    }

@@ -436,7 +436,7 @@ public function fieldSetDefault($table, $field, $default) {
      $default = 'NULL';
    }
    else {
-      $default = is_string($default) ? "'$default'" : $default;
+      $default = is_string($default) ? $this->connection->quote($default) : $default;
    }

    $this->connection->query('ALTER TABLE {' . $table . '} ALTER COLUMN "' . $field . '" SET DEFAULT ' . $default);
@@ -603,7 +603,7 @@ public function changeField($table, $field, $field_new, $spec, $new_keys = array
      // Set sequence to maximal field value to not conflict with existing
      // entries.
      $this->connection->query("SELECT setval('" . $seq . "', MAX(\"" . $field . '")) FROM {' . $table . "}");
-      $this->connection->query('ALTER TABLE {' . $table . '} ALTER "' . $field . '" SET DEFAULT nextval(\'' . $seq . '\')');
+      $this->connection->query('ALTER TABLE {' . $table . '} ALTER ' . $field . ' SET DEFAULT nextval(' . $this->connection->quote($seq) . ')');
    }

    // Rename the column if necessary.

--- a/core/lib/Drupal/Core/Database/Driver/sqlite/Schema.php
+++ b/core/lib/Drupal/Core/Database/Driver/sqlite/Schema.php
@@ -179,7 +179,7 @@ protected function createFieldSql($name, $spec) {

      if (isset($spec['default'])) {
        if (is_string($spec['default'])) {
-          $spec['default'] = "'" . $spec['default'] . "'";
+          $spec['default'] = $this->connection->quote($spec['default']);
        }
        $sql .= ' DEFAULT ' . $spec['default'];
      }

--- a/core/modules/system/lib/Drupal/system/Tests/Database/SchemaTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Database/SchemaTest.php
@@ -47,6 +47,13 @@ function testSchema() {
          'not null' => TRUE,
          'description' => 'Schema column description.',
        ),
+        'test_field_string'  => array(
+          'type' => 'varchar',
+          'length' => 20,
+          'not null' => TRUE,
+          'default' => "'\"funky default'\"",
+          'description' => 'Schema column description for string.',
+        ),
      ),
    );
    db_create_table('test_table', $table_specification);
@@ -282,6 +289,8 @@ function testSchemaAddField() {
      $variations = array(
        array('not null' => FALSE),
        array('not null' => FALSE, 'default' => '7'),
+        array('not null' => FALSE, 'default' => substr('"thing"', 0, $length)),
+        array('not null' => FALSE, 'default' => substr("\"'hing", 0, $length)),
        array('not null' => TRUE, 'initial' => 'd'),
        array('not null' => TRUE, 'initial' => 'd', 'default' => '7'),
      );