escape all identifiers with backticks

5 files changed, 62 insertions, 55 deletions

diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php
index 36258f70961..8c1b19cf0c6 100644
--- a/apps/bookmarks/ajax/editBookmark.php
+++ b/apps/bookmarks/ajax/editBookmark.php
@@ -36,6 +36,8 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
 	$_ut = "strftime('%s','now')";
 } elseif($CONFIG_DBTYPE == 'pgsql') {
 	$_ut = 'date_part(\'epoch\',now())::integer';
+} elseif($CONFIG_DBTYPE == 'oci') {
+	$_ut = '(oracletime - to_date(\'19700101\',\'YYYYMMDD\')) * 86400';
 } else {
 	$_ut = "UNIX_TIMESTAMP()";
 }
@@ -43,12 +45,13 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
 $bookmark_id = (int)$_POST["id"];
 $user_id = OCP\USER::getUser();
 
-$query = OCP\DB::prepare("
-	UPDATE *PREFIX*bookmarks
-	SET url = ?, title =?, lastmodified = $_ut
-	WHERE id = ?
-	AND user_id = ?
-	");
+//TODO check using CURRENT_TIMESTAMP? prepare already does magic when using now()
+$query = OCP\DB::prepare('
+	UPDATE `*PREFIX*bookmarks`
+	SET `url` = ?, `title` = ?, `lastmodified` = '.$_ut.'
+	WHERE `id` = ?
+	AND `user_id` = ?
+	');
 
 $params=array(
 	htmlspecialchars_decode($_POST["url"]),
@@ -63,18 +66,22 @@ $result = $query->execute($params);
 if ($result->numRows() == 0) exit();
 
 # Remove old tags and insert new ones.
-$query = OCP\DB::prepare("
-	DELETE FROM *PREFIX*bookmarks_tags
-	WHERE bookmark_id = $bookmark_id
-	");
+$query = OCP\DB::prepare('
+	DELETE FROM `*PREFIX*bookmarks_tags`
+	WHERE `bookmark_id` = ?
+	');
 
-$query->execute();
+$params=array(
+	$bookmark_id
+	);
+
+$query->execute($params);
 
-$query = OCP\DB::prepare("
-	INSERT INTO *PREFIX*bookmarks_tags
-	(bookmark_id, tag)
+$query = OCP\DB::prepare('
+	INSERT INTO `*PREFIX*bookmarks_tags`
+	(`bookmark_id`, `tag`)
 	VALUES (?, ?)
-	");
+	');
 
 $tags = explode(' ', urldecode($_POST["tags"]));
 foreach ($tags as $tag) {
diff --git a/apps/bookmarks/ajax/recordClick.php b/apps/bookmarks/ajax/recordClick.php
index 1eee1718d13..332d58262ee 100644
--- a/apps/bookmarks/ajax/recordClick.php
+++ b/apps/bookmarks/ajax/recordClick.php
@@ -30,12 +30,12 @@ $RUNTIME_NOSETUPFS=true;
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
 
-$query = OCP\DB::prepare("
-	UPDATE *PREFIX*bookmarks
-	SET clickcount = clickcount + 1
-	WHERE user_id = ?
-		AND url LIKE ?
-	");
+$query = OCP\DB::prepare('
+	UPDATE `*PREFIX*bookmarks`
+	SET `clickcount` = `clickcount` + 1
+	WHERE `user_id` = ?
+		AND `url` LIKE ?
+	');
 	
 $params=array(OCP\USER::getUser(), htmlspecialchars_decode($_POST["url"]));
 $bookmarks = $query->execute($params);
diff --git a/apps/bookmarks/appinfo/migrate.php b/apps/bookmarks/appinfo/migrate.php
index e7e572f52dc..f14469269a2 100644
--- a/apps/bookmarks/appinfo/migrate.php
+++ b/apps/bookmarks/appinfo/migrate.php
@@ -35,23 +35,23 @@ class OC_Migration_Provider_Bookmarks extends OC_Migration_Provider{
 		switch( $this->appinfo->version ){
 			default:
 				// All versions of the app have had the same db structure, so all can use the same import function
-				$query = $this->content->prepare( "SELECT * FROM bookmarks WHERE user_id LIKE ?" );
+				$query = $this->content->prepare( "SELECT * FROM `bookmarks` WHERE `user_id` LIKE ?" );
 				$results = $query->execute( array( $this->olduid ) );
 				$idmap = array();
 				while( $row = $results->fetchRow() ){
 					// Import each bookmark, saving its id into the map	
-					$query = OCP\DB::prepare( "INSERT INTO *PREFIX*bookmarks(url, title, user_id, public, added, lastmodified) VALUES (?, ?, ?, ?, ?, ?)" );
+					$query = OCP\DB::prepare( "INSERT INTO `*PREFIX*bookmarks`(`url`, `title`, `user_id`, `public`, `added`, `lastmodified`) VALUES (?, ?, ?, ?, ?, ?)" );
 					$query->execute( array( $row['url'], $row['title'], $this->uid, $row['public'], $row['added'], $row['lastmodified'] ) );
 					// Map the id
 					$idmap[$row['id']] = OCP\DB::insertid();
 				}
 				// Now tags
 				foreach($idmap as $oldid => $newid){
-					$query = $this->content->prepare( "SELECT * FROM bookmarks_tags WHERE bookmark_id LIKE ?" );
+					$query = $this->content->prepare( "SELECT * FROM `bookmarks_tags` WHERE `bookmark_id` LIKE ?" );
 					$results = $query->execute( array( $oldid ) );
 					while( $row = $results->fetchRow() ){
 						// Import the tags for this bookmark, using the new bookmark id
-						$query = OCP\DB::prepare( "INSERT INTO *PREFIX*bookmarks_tags(bookmark_id, tag) VALUES (?, ?)" );
+						$query = OCP\DB::prepare( "INSERT INTO `*PREFIX*bookmarks_tags`(`bookmark_id`, `tag`) VALUES (?, ?)" );
 						$query->execute( array( $newid, $row['tag'] ) );	
 					}		
 				}
diff --git a/apps/bookmarks/bookmarksHelper.php b/apps/bookmarks/bookmarksHelper.php
index 01b551111e0..cb0ca06c728 100644
--- a/apps/bookmarks/bookmarksHelper.php
+++ b/apps/bookmarks/bookmarksHelper.php
@@ -83,8 +83,8 @@ function addBookmark($url, $title, $tags='') {
 	
 	//FIXME: Detect when user adds a known URL
 	$query = OCP\DB::prepare("
-		INSERT INTO *PREFIX*bookmarks
-		(url, title, user_id, public, added, lastmodified)
+		INSERT INTO `*PREFIX*bookmarks`
+		(`url`, `title`, `user_id`, `public`, `added`, `lastmodified`)
 		VALUES (?, ?, ?, 0, $_ut, $_ut)
 		");
 	
@@ -109,8 +109,8 @@ function addBookmark($url, $title, $tags='') {
 	
 	if($b_id !== false) {
 		$query = OCP\DB::prepare("
-			INSERT INTO *PREFIX*bookmarks_tags
-			(bookmark_id, tag)
+			INSERT INTO `*PREFIX*bookmarks_tags`
+			(`bookmark_id`, `tag`)
 			VALUES (?, ?)
 			");
 	
@@ -126,4 +126,4 @@ function addBookmark($url, $title, $tags='') {
 	
 		return $b_id;
 	}
-}
\ No newline at end of file
+}
diff --git a/apps/bookmarks/lib/bookmarks.php b/apps/bookmarks/lib/bookmarks.php
index e0005968f31..4b9e3d6438a 100644
--- a/apps/bookmarks/lib/bookmarks.php
+++ b/apps/bookmarks/lib/bookmarks.php
@@ -71,14 +71,14 @@ class OC_Bookmarks_Bookmarks{
 
 		if($CONFIG_DBTYPE == 'pgsql' ){
 			$query = OCP\DB::prepare('
-				SELECT id, url, title, '.($filterTagOnly?'':'url || title ||').' array_to_string(array_agg(tag), \' \') as tags
-				FROM *PREFIX*bookmarks
-				LEFT JOIN *PREFIX*bookmarks_tags ON *PREFIX*bookmarks.id = *PREFIX*bookmarks_tags.bookmark_id 
+				SELECT `id`, `url`, `title`, '.($filterTagOnly?'':'`url` || `title` ||').' array_to_string(array_agg(`tag`), \' \') as `tags`
+				FROM `*PREFIX*bookmarks`
+				LEFT JOIN `*PREFIX*bookmarks_tags` ON `*PREFIX*bookmarks`.`id` = `*PREFIX*bookmarks_tags`.`bookmark_id` 
 				WHERE 
-					*PREFIX*bookmarks.user_id = ?
-				GROUP BY id, url, title
+					`*PREFIX*bookmarks`.`user_id` = ?
+				GROUP BY `id`, `url`, `title`
 				'.$sqlFilterTag.'
-				ORDER BY *PREFIX*bookmarks.'.$sqlSortColumn.' DESC 
+				ORDER BY `*PREFIX*bookmarks`.`'.$sqlSortColumn.'` DESC 
 				LIMIT 10
 				OFFSET '. $offset);
 		} else {
@@ -88,25 +88,25 @@ class OC_Bookmarks_Bookmarks{
 				$concatFunction = 'Concat(Concat( url, title), ';
 		
 			$query = OCP\DB::prepare('
-				SELECT id, url, title, '
+				SELECT `id`, `url`, `title`, '
 				.($filterTagOnly?'':$concatFunction).
-				'CASE WHEN *PREFIX*bookmarks.id = *PREFIX*bookmarks_tags.bookmark_id
-						THEN GROUP_CONCAT( tag ' .$_gc_separator. ' )
+				'CASE WHEN `*PREFIX*bookmarks`.`id` = `*PREFIX*bookmarks_tags`.`bookmark_id`
+						THEN GROUP_CONCAT( `tag` ' .$_gc_separator. ' )
 						ELSE \' \'
 					END '
 				.($filterTagOnly?'':')').'
-					AS tags
-				FROM *PREFIX*bookmarks
-				LEFT JOIN *PREFIX*bookmarks_tags ON 1=1
-				WHERE (*PREFIX*bookmarks.id = *PREFIX*bookmarks_tags.bookmark_id 
-						OR *PREFIX*bookmarks.id NOT IN (
-							SELECT *PREFIX*bookmarks_tags.bookmark_id FROM *PREFIX*bookmarks_tags
+					AS `tags`
+				FROM `*PREFIX*bookmarks`
+				LEFT JOIN `*PREFIX*bookmarks_tags` ON 1=1
+				WHERE (`*PREFIX*bookmarks`.`id` = `*PREFIX*bookmarks_tags`.`bookmark_id` 
+						OR `*PREFIX*bookmarks`.`id` NOT IN (
+							SELECT `*PREFIX*bookmarks_tags`.`bookmark_id` FROM `*PREFIX*bookmarks_tags`
 						)
 					)
-					AND *PREFIX*bookmarks.user_id = ?
-				GROUP BY url
+					AND `*PREFIX*bookmarks`.`user_id` = ?
+				GROUP BY `url`
 				'.$sqlFilterTag.'
-				ORDER BY *PREFIX*bookmarks.'.$sqlSortColumn.' DESC
+				ORDER BY `*PREFIX*bookmarks`.`'.$sqlSortColumn.'` DESC
 				LIMIT '.$offset.',  10');
 		}
 
@@ -119,9 +119,9 @@ class OC_Bookmarks_Bookmarks{
 		$user = OCP\USER::getUser();
 
 		$query = OCP\DB::prepare("
-				SELECT id FROM *PREFIX*bookmarks
-				WHERE id = ?
-				AND user_id = ?
+				SELECT `id` FROM `*PREFIX*bookmarks`
+				WHERE `id` = ?
+				AND `user_id` = ?
 				");
 
 		$result = $query->execute(array($id, $user));
@@ -131,15 +131,15 @@ class OC_Bookmarks_Bookmarks{
 		}
 
 		$query = OCP\DB::prepare("
-			DELETE FROM *PREFIX*bookmarks
-			WHERE id = $id
+			DELETE FROM `*PREFIX*bookmarks`
+			WHERE `id` = $id
 			");
 
 		$result = $query->execute();
 
 		$query = OCP\DB::prepare("
-			DELETE FROM *PREFIX*bookmarks_tags
-			WHERE bookmark_id = $id
+			DELETE FROM `*PREFIX*bookmarks_tags`
+			WHERE `bookmark_id` = $id
 			");
 
 		$result = $query->execute();