Merge pull request #28 from itosho/21-potential-security-problem

itosho · web-flow · commit 9d455d957701 · 2020-09-20T00:44:10.000+09:00
#21 fix potential security problem
diff --git a/src/Model/Behavior/InsertBehavior.php b/src/Model/Behavior/InsertBehavior.php
@@ -78,11 +78,6 @@ public function insertOnce(Entity $entity, array $conditions = null)
             $insertData['modified'] = FrozenTime::now()->toDateTimeString();
         }
 
-        $escape = function ($content) {
-            return is_null($content) ? 'NULL' : '\'' . addslashes($content) . '\'';
-        };
-
-        $escapedInsertData = array_map($escape, $insertData);
         $fields = array_keys($insertData);
         $existsConditions = $conditions;
         if (is_null($existsConditions)) {
@@ -94,7 +89,7 @@ public function insertOnce(Entity $entity, array $conditions = null)
             ->insert($fields)
             ->epilog(
                 $this
-                    ->buildTmpTableSelectQuery($escapedInsertData)
+                    ->buildTmpTableSelectQuery($insertData)
                     ->where(function (QueryExpression $exp) use ($existsConditions) {
                         $query = $this->_table
                             ->find()
@@ -111,32 +106,42 @@ public function insertOnce(Entity $entity, array $conditions = null)
     /**
      * build tmp table's select query for insert select query
      *
-     * @param array $escapedData escaped array data
+     * @param array $insertData insert data
      * @throws LogicException select query is invalid
      * @return Query tmp table's select query
      */
-    private function buildTmpTableSelectQuery($escapedData)
+    private function buildTmpTableSelectQuery($insertData)
     {
         $driver = $this->_table
             ->getConnection()
             ->getDriver();
         $schema = [];
-        foreach ($escapedData as $key => $value) {
+        $binds = [];
+        foreach ($insertData as $key => $value) {
             $col = $driver->quoteIdentifier($key);
-            $schema[] = "{$value} AS {$col}";
+            if (is_null($value)) {
+                $schema[] = "NULL AS {$col}";
+            } else {
+                $bindKey = ':' . strtolower($key);
+                $binds[$bindKey] = $value;
+                $schema[] = "{$bindKey} AS {$col}";
+            }
         }
 
         $tmpTable = TableRegistry::getTableLocator()->get('tmp', [
             'schema' => $this->_table->getSchema(),
         ]);
         $query = $tmpTable
             ->find()
-            ->select(array_keys($escapedData))
+            ->select(array_keys($insertData))
             ->from(
                 sprintf('(SELECT %s) as tmp', implode(',', $schema))
             );
         /** @var Query $selectQuery */
         $selectQuery = $query;
+        foreach ($binds as $key => $value) {
+            $selectQuery->bind($key, $value);
+        }
 
         return $selectQuery;
     }
