Merge pull request #11929 from nextcloud/backport/11870/proper-column-name-escaping

[stable14] Properly escape column name in "createFunction" call

3 files changed, 5 insertions, 5 deletions

diff --git a/lib/private/Comments/Manager.php b/lib/private/Comments/Manager.php
index 6d9e37ae94e..e9bb001f77d 100644
--- a/lib/private/Comments/Manager.php
+++ b/lib/private/Comments/Manager.php
@@ -163,7 +163,7 @@ class Manager implements ICommentsManager {
 	 */
 	protected function updateChildrenInformation($id, \DateTime $cDateTime) {
 		$qb = $this->dbConn->getQueryBuilder();
-		$query = $qb->select($qb->createFunction('COUNT(`id`)'))
+		$query = $qb->select($qb->createFunction('COUNT(' . $qb->getColumnName('id') . ')'))
 			->from('comments')
 			->where($qb->expr()->eq('parent_id', $qb->createParameter('id')))
 			->setParameter('id', $id);
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php
index 9bcb7eb3385..c77ae9e2ee8 100644
--- a/lib/private/Group/Database.php
+++ b/lib/private/Group/Database.php
@@ -387,9 +387,9 @@ class Database extends ABackend
 		$this->fixDI();
 		
 		$query = $this->dbConn->getQueryBuilder();
-		$query->select($query->createFunction('COUNT(Distinct uid)'))
+		$query->select($query->createFunction('COUNT(DISTINCT ' . $query->getColumnName('uid') . ')'))
 			->from('preferences', 'p')
-			->innerJoin('p', 'group_user', 'g', 'p.userid = g.uid')
+			->innerJoin('p', 'group_user', 'g', $query->expr()->eq('p.userid', 'g.uid'))
 			->where($query->expr()->eq('appid', $query->createNamedParameter('core')))
 			->andWhere($query->expr()->eq('configkey', $query->createNamedParameter('enabled')))
 			->andWhere($query->expr()->eq('configvalue', $query->createNamedParameter('false'), IQueryBuilder::PARAM_STR))
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
index 494a345be59..54d7d7f9612 100644
--- a/lib/private/User/Manager.php
+++ b/lib/private/User/Manager.php
@@ -475,9 +475,9 @@ class Manager extends PublicEmitter implements IUserManager {
 	 */
 	public function countDisabledUsersOfGroups(array $groups): int {
 		$queryBuilder = \OC::$server->getDatabaseConnection()->getQueryBuilder();
-		$queryBuilder->select($queryBuilder->createFunction('COUNT(Distinct uid)'))
+		$queryBuilder->select($queryBuilder->createFunction('COUNT(DISTINCT ' . $queryBuilder->getColumnName('uid') . ')'))
 			->from('preferences', 'p')
-			->innerJoin('p', 'group_user', 'g', 'p.userid = g.uid')
+			->innerJoin('p', 'group_user', 'g', $queryBuilder->expr()->eq('p.userid', 'g.uid'))
 			->where($queryBuilder->expr()->eq('appid', $queryBuilder->createNamedParameter('core')))
 			->andWhere($queryBuilder->expr()->eq('configkey', $queryBuilder->createNamedParameter('enabled')))
 			->andWhere($queryBuilder->expr()->eq('configvalue', $queryBuilder->createNamedParameter('false'), IQueryBuilder::PARAM_STR))