Always quote identifiers in driver and reconstructor

Author: JanJakes

tests/WP_SQLite_Driver_Tests.php

@@ -1229,14 +1229,14 @@ public function testColumnWithOnUpdate() {
 					'name'     => '_wp_sqlite__tmp_table_created_at_on_update',
 					'tbl_name' => '_tmp_table',
 					'rootpage' => '0',
-					'sql'      => "CREATE TRIGGER \"_wp_sqlite__tmp_table_created_at_on_update\"\n\t\t\tAFTER UPDATE ON \"_tmp_table\"\n\t\t\tFOR EACH ROW\n\t\t\tBEGIN\n\t\t\t  UPDATE \"_tmp_table\" SET \"created_at\" = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;\n\t\t\tEND",
+					'sql'      => "CREATE TRIGGER `_wp_sqlite__tmp_table_created_at_on_update`\n\t\t\t\tAFTER UPDATE ON `_tmp_table`\n\t\t\t\tFOR EACH ROW\n\t\t\t\tBEGIN\n\t\t\t\t  UPDATE `_tmp_table` SET `created_at` = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;\n\t\t\t\tEND",
 				),
 				(object) array(
 					'type'     => 'trigger',
 					'name'     => '_wp_sqlite__tmp_table_updated_at_on_update',
 					'tbl_name' => '_tmp_table',
 					'rootpage' => '0',
-					'sql'      => "CREATE TRIGGER \"_wp_sqlite__tmp_table_updated_at_on_update\"\n\t\t\tAFTER UPDATE ON \"_tmp_table\"\n\t\t\tFOR EACH ROW\n\t\t\tBEGIN\n\t\t\t  UPDATE \"_tmp_table\" SET \"updated_at\" = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;\n\t\t\tEND",
+					'sql'      => "CREATE TRIGGER `_wp_sqlite__tmp_table_updated_at_on_update`\n\t\t\t\tAFTER UPDATE ON `_tmp_table`\n\t\t\t\tFOR EACH ROW\n\t\t\t\tBEGIN\n\t\t\t\t  UPDATE `_tmp_table` SET `updated_at` = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;\n\t\t\t\tEND",
 				),
 			),
 			$results

wp-includes/sqlite-ast/class-wp-sqlite-driver.php

@@ -577,7 +577,10 @@ public function get_saved_driver_version(): string {
 		$default_version = '0.0.0';
 		try {
 			$stmt = $this->execute_sqlite_query(
-				sprintf( 'SELECT value FROM %s WHERE name = ?', self::GLOBAL_VARIABLES_TABLE_NAME ),
+				sprintf(
+					'SELECT value FROM %s WHERE name = ?',
+					$this->quote_sqlite_identifier( self::GLOBAL_VARIABLES_TABLE_NAME )
+				),
 				array( self::DRIVER_VERSION_VARIABLE_NAME )
 			);
 			return $stmt->fetchColumn() ?? $default_version;
@@ -1212,7 +1215,11 @@ private function execute_delete_statement( WP_Parser_Node $node ): void {
 
 			$select_list = array();
 			foreach ( $table_aliases as $table ) {
-				$select_list[] = "\"$table\".rowid AS \"{$table}_rowid\"";
+				$select_list[] = sprintf(
+					'%s.rowid AS %s',
+					$this->quote_sqlite_identifier( $table ),
+					$this->quote_sqlite_identifier( $table . '_rowid' )
+				);
 			}
 
 			$ids = $this->execute_sqlite_query(
@@ -1288,7 +1295,10 @@ private function execute_create_table_statement( WP_Parser_Node $node ): void {
 		if ( $subnode->has_child_node( 'ifNotExists' ) ) {
 			$tables_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'tables' );
 			$table_exists = $this->execute_sqlite_query(
-				"SELECT 1 FROM $tables_table WHERE table_schema = ? AND table_name = ?",
+				sprintf(
+					'SELECT 1 FROM %s WHERE table_schema = ? AND table_name = ?',
+					$this->quote_sqlite_identifier( $tables_table )
+				),
 				array( $this->db_name, $table_name )
 			)->fetchColumn();
 
@@ -1329,7 +1339,10 @@ private function execute_alter_table_statement( WP_Parser_Node $node ): void {
 		// Save all column names from the original table.
 		$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
 		$column_names  = $this->execute_sqlite_query(
-			"SELECT COLUMN_NAME FROM $columns_table WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT COLUMN_NAME FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $columns_table )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_COLUMN );
 
@@ -1437,9 +1450,9 @@ private function execute_truncate_table_statement( WP_Parser_Node $node ): void
 			$this->translate( $node->get_first_child_node( 'tableRef' ) )
 		);
 
-		$quoted_table_name = $this->quote_sqlite_identifier( $table_name );
-
-		$this->execute_sqlite_query( "DELETE FROM $quoted_table_name" );
+		$this->execute_sqlite_query(
+			sprintf( 'DELETE FROM %s', $this->quote_sqlite_identifier( $table_name ) )
+		);
 		try {
 			$this->execute_sqlite_query( 'DELETE FROM sqlite_sequence WHERE name = ?', array( $table_name ) );
 		} catch ( PDOException $e ) {
@@ -1576,7 +1589,7 @@ private function execute_show_index_statement( string $table_name ): void {
 					INDEX_COMMENT AS `Index_comment`,
 					IS_VISIBLE AS `Visible`,
 					EXPRESSION AS `Expression`
-				FROM ' . $statistics_table . '
+				FROM ' . $this->quote_sqlite_identifier( $statistics_table ) . '
 				WHERE table_schema = ?
 				AND table_name = ?
 				ORDER BY
@@ -1620,7 +1633,8 @@ private function execute_show_table_status_statement( WP_Parser_Node $node ): vo
 		);
 		$table_info    = $this->execute_sqlite_query(
 			sprintf(
-				"SELECT * FROM $tables_tables WHERE table_schema = ? %s",
+				'SELECT * FROM %s WHERE table_schema = ? %s',
+				$this->quote_sqlite_identifier( $tables_tables ),
 				$condition ?? ''
 			),
 			array( $database )
@@ -1688,7 +1702,8 @@ private function execute_show_tables_statement( WP_Parser_Node $node ): void {
 		);
 		$table_info   = $this->execute_sqlite_query(
 			sprintf(
-				"SELECT * FROM $table_tables WHERE table_schema = ? %s",
+				'SELECT * FROM %s WHERE table_schema = ? %s',
+				$this->quote_sqlite_identifier( $table_tables ),
 				$condition ?? ''
 			),
 			array( $database )
@@ -1745,7 +1760,10 @@ private function execute_show_columns_statement( WP_Parser_Node $node ): void {
 		// Check if the table exists.
 		$tables_tables = $this->information_schema_builder->get_table_name( $table_is_temporary, 'tables' );
 		$table_exists  = $this->execute_sqlite_query(
-			"SELECT 1 FROM $tables_tables WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT 1 FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $tables_tables )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchColumn();
 
@@ -1763,10 +1781,11 @@ private function execute_show_columns_statement( WP_Parser_Node $node ): void {
 		}
 
 		// Fetch column information.
-		$column_info = $this->execute_sqlite_query(
+		$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
+		$column_info   = $this->execute_sqlite_query(
 			sprintf(
 				'SELECT * FROM %s WHERE table_schema = ? AND table_name = ? %s',
-				$this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' ),
+				$this->quote_sqlite_identifier( $columns_table ),
 				$condition ?? ''
 			),
 			array( $database, $table_name )
@@ -1808,18 +1827,18 @@ private function execute_describe_statement( WP_Parser_Node $node ): void {
 
 		$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
 		$column_info   = $this->execute_sqlite_query(
-			"
+			'
 				SELECT
 					column_name AS `Field`,
 					column_type AS `Type`,
 					is_nullable AS `Null`,
 					column_key AS `Key`,
 					column_default AS `Default`,
 					extra AS Extra
-				FROM $columns_table
+				FROM ' . $this->quote_sqlite_identifier( $columns_table ) . '
 				WHERE table_schema = ?
 				AND table_name = ?
-			",
+			',
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_OBJ );
 
@@ -2015,11 +2034,13 @@ private function execute_administration_statement( WP_Parser_Node $node ): void
 			try {
 				switch ( $first_token->id ) {
 					case WP_MySQL_Lexer::ANALYZE_SYMBOL:
-						$stmt   = $this->execute_sqlite_query( "ANALYZE $quoted_table_name" );
+						$stmt   = $this->execute_sqlite_query( sprintf( 'ANALYZE %s', $quoted_table_name ) );
 						$errors = $stmt->fetchAll( PDO::FETCH_COLUMN );
 						break;
 					case WP_MySQL_Lexer::CHECK_SYMBOL:
-						$stmt   = $this->execute_sqlite_query( "PRAGMA integrity_check($quoted_table_name)" );
+						$stmt   = $this->execute_sqlite_query(
+							sprintf( 'PRAGMA integrity_check(%s)', $quoted_table_name )
+						);
 						$errors = $stmt->fetchAll( PDO::FETCH_COLUMN );
 						if ( 'ok' === $errors[0] ) {
 							array_shift( $errors );
@@ -2842,7 +2863,10 @@ private function recreate_table_from_information_schema(
 		if ( null === $column_map ) {
 			$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
 			$column_names  = $this->execute_sqlite_query(
-				"SELECT COLUMN_NAME FROM $columns_table WHERE table_schema = ? AND table_name = ?",
+				sprintf(
+					'SELECT COLUMN_NAME FROM %s WHERE table_schema = ? AND table_name = ?',
+					$this->quote_sqlite_identifier( $columns_table )
+				),
 				array( $this->db_name, $table_name )
 			)->fetchAll( PDO::FETCH_COLUMN );
 			$column_map    = array_combine( $column_names, $column_names );
@@ -2997,13 +3021,13 @@ private function translate_insert_or_replace_body_in_non_strict_mode(
 		$is_temporary  = $this->information_schema_builder->temporary_table_exists( $table_name );
 		$columns_table = $this->information_schema_builder->get_table_name( $is_temporary, 'columns' );
 		$columns       = $this->execute_sqlite_query(
-			"
+			'
 				SELECT column_name, is_nullable, column_default, data_type, extra
-				FROM $columns_table
+				FROM ' . $this->quote_sqlite_identifier( $columns_table ) . '
 				WHERE table_schema = ?
 				AND table_name = ?
 				ORDER BY ordinal_position
-			",
+			',
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 
@@ -3113,12 +3137,12 @@ private function translate_update_list_in_non_strict_mode( string $table_name, W
 		$is_temporary  = $this->information_schema_builder->temporary_table_exists( $table_name );
 		$columns_table = $this->information_schema_builder->get_table_name( $is_temporary, 'columns' );
 		$columns       = $this->execute_sqlite_query(
-			"
+			'
 				SELECT column_name, is_nullable, data_type, column_default
-				FROM $columns_table
+				FROM ' . $this->quote_sqlite_identifier( $columns_table ) . '
 				WHERE table_schema = ?
 				AND table_name = ?
-			",
+			',
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 		$column_map    = array_combine( array_column( $columns, 'COLUMN_NAME' ), $columns );
@@ -3176,9 +3200,9 @@ private function get_sqlite_create_table_statement(
 		// 1. Get table info.
 		$tables_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'tables' );
 		$table_info   = $this->execute_sqlite_query(
-			"
+			'
 				SELECT *
-				FROM $tables_table
+				FROM ' . $this->quote_sqlite_identifier( $tables_table ) . "
 				WHERE table_type = 'BASE TABLE'
 				AND table_schema = ?
 				AND table_name = ?
@@ -3196,14 +3220,20 @@ private function get_sqlite_create_table_statement(
 		// 2. Get column info.
 		$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
 		$column_info   = $this->execute_sqlite_query(
-			"SELECT * FROM $columns_table WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT * FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $columns_table )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 
 		// 3. Get index info, grouped by index name.
 		$statistics_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'statistics' );
 		$constraint_info  = $this->execute_sqlite_query(
-			"SELECT * FROM $statistics_table WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT * FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $statistics_table )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 
@@ -3366,9 +3396,9 @@ private function get_mysql_create_table_statement( bool $table_is_temporary, str
 		// 1. Get table info.
 		$tables_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'tables' );
 		$table_info   = $this->execute_sqlite_query(
-			"
+			'
 				SELECT *
-				FROM $tables_table
+				FROM ' . $this->quote_sqlite_identifier( $tables_table ) . "
 				WHERE table_type = 'BASE TABLE'
 				AND table_schema = ?
 				AND table_name = ?
@@ -3383,14 +3413,20 @@ private function get_mysql_create_table_statement( bool $table_is_temporary, str
 		// 2. Get column info.
 		$columns_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'columns' );
 		$column_info   = $this->execute_sqlite_query(
-			"SELECT * FROM $columns_table WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT * FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $columns_table )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 
 		// 3. Get index info, grouped by index name.
 		$statistics_table = $this->information_schema_builder->get_table_name( $table_is_temporary, 'statistics' );
 		$constraint_info  = $this->execute_sqlite_query(
-			"SELECT * FROM $statistics_table WHERE table_schema = ? AND table_name = ?",
+			sprintf(
+				'SELECT * FROM %s WHERE table_schema = ? AND table_name = ?',
+				$this->quote_sqlite_identifier( $statistics_table )
+			),
 			array( $this->db_name, $table_name )
 		)->fetchAll( PDO::FETCH_ASSOC );
 
@@ -3518,14 +3554,20 @@ private function get_column_on_update_trigger_query( string $table, string $colu
 		// but currently that can't happen as we're not creating such tables.
 		// See: https://www.sqlite.org/rowidtable.html
 		$trigger_name = self::RESERVED_PREFIX . "{$table}_{$column}_on_update";
-		return "
-			CREATE TRIGGER \"$trigger_name\"
-			AFTER UPDATE ON \"$table\"
-			FOR EACH ROW
-			BEGIN
-			  UPDATE \"$table\" SET \"$column\" = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;
-			END
-		";
+		return sprintf(
+			'
+				CREATE TRIGGER %s
+				AFTER UPDATE ON %s
+				FOR EACH ROW
+				BEGIN
+				  UPDATE %s SET %s = CURRENT_TIMESTAMP WHERE rowid = NEW.rowid;
+				END
+			',
+			$this->quote_sqlite_identifier( $trigger_name ),
+			$this->quote_sqlite_identifier( $table ),
+			$this->quote_sqlite_identifier( $table ),
+			$this->quote_sqlite_identifier( $column )
+		);
 	}
 
 	/**

wp-includes/sqlite-ast/class-wp-sqlite-information-schema-reconstructor.php

@@ -122,7 +122,10 @@ private function get_sqlite_table_names(): array {
 	private function get_information_schema_table_names(): array {
 		$tables_table = $this->schema_builder->get_table_name( false, 'tables' );
 		return $this->driver->execute_sqlite_query(
-			"SELECT table_name FROM $tables_table ORDER BY table_name"
+			sprintf(
+				'SELECT table_name FROM %s ORDER BY table_name',
+				$this->quote_sqlite_identifier( $tables_table )
+			)
 		)->fetchAll( PDO::FETCH_COLUMN );
 	}
 
@@ -207,7 +210,10 @@ private function get_wp_create_table_statements(): array {
 	private function generate_create_table_statement( string $table_name ): string {
 		// Columns.
 		$columns = $this->driver->execute_sqlite_query(
-			sprintf( 'PRAGMA table_xinfo("%s")', $table_name )
+			sprintf(
+				'PRAGMA table_xinfo(%s)',
+				$this->quote_sqlite_identifier( $table_name )
+			)
 		)->fetchAll( PDO::FETCH_ASSOC );
 
 		$definitions  = array();
@@ -245,7 +251,10 @@ private function generate_create_table_statement( string $table_name ): string {
 
 		// Indexes and keys.
 		$keys = $this->driver->execute_sqlite_query(
-			'SELECT * FROM pragma_index_list("' . $table_name . '")'
+			sprintf(
+				'PRAGMA index_list(%s)',
+				$this->quote_sqlite_identifier( $table_name )
+			)
 		)->fetchAll( PDO::FETCH_ASSOC );
 
 		foreach ( $keys as $key ) {
@@ -375,7 +384,10 @@ private function generate_key_definition( string $table_name, array $key_info, a
 
 		// Key columns.
 		$key_columns = $this->driver->execute_sqlite_query(
-			'SELECT * FROM pragma_index_info("' . $key_info['name'] . '")'
+			sprintf(
+				'PRAGMA index_info(%s)',
+				$this->quote_sqlite_identifier( $key_info['name'] )
+			)
 		)->fetchAll( PDO::FETCH_ASSOC );
 		$cols        = array();
 		foreach ( $key_columns as $column ) {