Merge branch 'develop' into magic-issets

Author: MGatner

system/Database/MySQLi/Connection.php

@@ -389,8 +389,49 @@ protected function _escapeString(string $str): string
 
 	//--------------------------------------------------------------------
 
+	/**
+	 * Escape Like String Direct
+	 * There are a few instances where MySQLi queries cannot take the
+	 * additional "ESCAPE x" parameter for specifying the escape character
+	 * in "LIKE" strings, and this handles those directly with a backslash.
+	 *
+	 * @param  string|string[] $str  Input string
+	 * @return string|string[]
+	 */
+	public function escapeLikeStringDirect($str)
+	{
+		if (is_array($str))
+		{
+			foreach ($str as $key => $val)
+			{
+				$str[$key] = $this->escapeLikeStringDirect($val);
+			}
+
+			return $str;
+		}
+
+		$str = $this->_escapeString($str);
+
+		// Escape LIKE condition wildcards
+		return str_replace([
+			$this->likeEscapeChar,
+			'%',
+			'_',
+		], [
+			'\\' . $this->likeEscapeChar,
+			'\\' . '%',
+			'\\' . '_',
+		], $str
+		);
+
+		return $str;
+	}
+
+	//--------------------------------------------------------------------
+	
 	/**
 	 * Generates the SQL for listing tables in a platform-dependent manner.
+	 * Uses escapeLikeStringDirect().
 	 *
 	 * @param boolean $prefixLimit
 	 *
@@ -402,7 +443,7 @@ protected function _listTables(bool $prefixLimit = false): string
 
 		if ($prefixLimit !== false && $this->DBPrefix !== '')
 		{
-			return $sql . " LIKE '" . $this->escapeLikeString($this->DBPrefix) . "%'";
+			return $sql . " LIKE '" . $this->escapeLikeStringDirect($this->DBPrefix) . "%'";
 		}
 
 		return $sql;

system/Database/SQLite3/Connection.php

@@ -207,7 +207,7 @@ protected function _escapeString(string $str): string
 	protected function _listTables(bool $prefixLimit = false): string
 	{
 		return 'SELECT "NAME" FROM "SQLITE_MASTER" WHERE "TYPE" = \'table\''
-			   . ' AND "NAME" NOT LIKE \'sqlite_%\''
+			   . ' AND "NAME" NOT LIKE \'sqlite!_%\' ESCAPE \'!\''
 			   . (($prefixLimit !== false && $this->DBPrefix !== '')
 				? ' AND "NAME" LIKE \'' . $this->escapeLikeString($this->DBPrefix) . '%\' ' . sprintf($this->likeEscapeStr,
 					$this->likeEscapeChar)

system/Session/Session.php

@@ -304,7 +304,8 @@ protected function configure()
 				$this->sessionExpiration, $this->cookiePath, $this->cookieDomain, $this->cookieSecure, true // HTTP only; Yes, this is intentional and not configurable for security reasons.
 		);
 
-		if (empty($this->sessionExpiration))
+		//if (empty($this->sessionExpiration))
+		if (!isset($this->sessionExpiration))
 		{
 			$this->sessionExpiration = (int) ini_get('session.gc_maxlifetime');
 		}

tests/system/Database/BaseConnectionTest.php

@@ -128,21 +128,4 @@ public function testStoresConnectionTimings()
 		$this->assertGreaterThan($start, $db->getConnectStart());
 		$this->assertGreaterThan(0.0, $db->getConnectDuration());
 	}
-
-	//--------------------------------------------------------------------
-
-	/**
-	 * Ensures we don't have escaped - values...
-	 *
-	 * @see https://github.com/codeigniter4/CodeIgniter4/issues/606
-	 */
-	public function testEscapeProtectsNegativeNumbers()
-	{
-		$db = new MockConnection($this->options);
-
-		$db->initialize();
-
-		$this->assertEquals("'-100'", $db->escape(-100));
-	}
-
 }

tests/system/Database/Live/EscapeTest.php

@@ -0,0 +1,79 @@
+<?php namespace CodeIgniter\Database\Live;
+
+use CodeIgniter\Test\CIDatabaseTestCase;
+
+/**
+ * @group DatabaseLive
+ */
+class EscapeTest extends CIDatabaseTestCase
+{
+	protected $refresh = false;
+
+	protected $char;
+
+	protected function setUp()
+	{
+		parent::setUp();
+
+		$this->char = $this->db->DBDriver === 'MySQLi' ? '\\' : "'";
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Ensures we don't have escaped - values...
+	 *
+	 * @see https://github.com/codeigniter4/CodeIgniter4/issues/606
+	 */
+	public function testEscapeProtectsNegativeNumbers()
+	{
+		$this->assertEquals("'-100'", $this->db->escape(-100));
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testEscape()
+	{
+		$expected = "SELECT * FROM brands WHERE name = 'O" . $this->char . "'Doules'";
+		$sql      = "SELECT * FROM brands WHERE name = " . $this->db->escape("O'Doules");
+
+		$this->assertEquals($expected, $sql);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testEscapeString()
+	{
+		$expected = "SELECT * FROM brands WHERE name = 'O" . $this->char . "'Doules'";
+		$sql      = "SELECT * FROM brands WHERE name = '" . $this->db->escapeString("O'Doules") . "'";
+
+		$this->assertEquals($expected, $sql);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testEscapeLikeString()
+	{
+		$expected = "SELECT * FROM brands WHERE column LIKE '%10!% more%' ESCAPE '!'";
+		$sql      = "SELECT * FROM brands WHERE column LIKE '%" . $this->db->escapeLikeString("10% more") . "%' ESCAPE '!'";
+
+		$this->assertEquals($expected, $sql);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testEscapeLikeStringDirect()
+	{
+		if ($this->db->DBDriver === 'MySQLi')
+		{
+			$expected = "SHOW COLUMNS FROM brands WHERE column LIKE 'wild\_chars%'";
+			$sql      = "SHOW COLUMNS FROM brands WHERE column LIKE '". $this->db->escapeLikeStringDirect("wild_chars") . "%'";
+
+			$this->assertEquals($expected, $sql);
+		}
+		else
+		{
+			$this->expectNotToPerformAssertions();
+		}
+	}
+}

tests/system/Database/Live/ForgeTest.php

@@ -163,6 +163,8 @@ public function testCreateTableWithArrayFieldConstraints()
 			{
 				$this->assertEquals('enum', $fields[0]->type);
 			}
+
+			$this->forge->dropTable('forge_array_constraint', true);
 		}
 		else
 		{

tests/system/Database/Live/MetadataTest.php

@@ -0,0 +1,85 @@
+<?php namespace CodeIgniter\Database\Live;
+
+use CodeIgniter\Test\CIDatabaseTestCase;
+
+/**
+ * @group DatabaseLive
+ */
+class MetadataTest extends CIDatabaseTestCase
+{
+	protected $refresh = true;
+
+	protected $seed = 'Tests\Support\Database\Seeds\CITestSeeder';
+
+	/**
+	 * Array of expected tables.
+	 *
+	 * @var array
+	 */
+	protected $expectedTables;
+
+	protected function setUp()
+	{
+		parent::setUp();
+
+		// Prepare the array of expected tables once
+		$prefix = $this->db->getPrefix();
+		$this->expectedTables = [
+			$prefix . 'migrations',
+			$prefix . 'user',
+			$prefix . 'job',
+			$prefix . 'misc',
+			$prefix . 'empty',
+			$prefix . 'secondary'
+		];
+	}
+
+	public function testListTables()
+	{
+		$result = $this->db->listTables();
+
+		$this->assertEquals($this->expectedTables, array_values($result));
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testListTablesConstrainPrefix()
+	{
+		$result = $this->db->listTables(true);
+
+		$this->assertEquals($this->expectedTables, array_values($result));
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testConstrainPrefixIgnoresOtherTables()
+	{
+		$this->forge = \Config\Database::forge($this->DBGroup);
+
+		// Stash the prefix and change it
+		$DBPrefix = $this->db->getPrefix();
+		$this->db->setPrefix('tmp_');
+
+		// Create a table with the new prefix
+		$fields = [
+			'name'       => ['type' => 'varchar', 'constraint' => 31],
+			'created_at' => ['type' => 'datetime', 'null' => true],
+		];
+		$this->forge->addField($fields);
+		$this->forge->createTable('widgets');
+
+		// Restore the prefix and get the tables with the original prefix
+		$this->db->setPrefix($DBPrefix);
+		$result = $this->db->listTables(true);
+
+		$this->assertEquals($this->expectedTables, array_values($result));
+
+		// Clean up temporary table
+		$this->db->setPrefix('tmp_');
+		$this->forge->dropTable('widgets');
+		$this->db->setPrefix($DBPrefix);
+	}
+
+	//--------------------------------------------------------------------
+
+}