escape table name when updating Objects

This commit is contained in:
Isaac Connor 2020-09-07 10:21:06 -04:00
parent 94b29c6c7a
commit 3b1be3346b
1 changed files with 3 additions and 3 deletions

View File

@ -306,7 +306,7 @@ class ZM_Object {
$fields = array_keys($fields); $fields = array_keys($fields);
if ( $this->Id() ) { if ( $this->Id() ) {
$sql = 'UPDATE '.$table.' SET '.implode(', ', array_map(function($field) {return '`'.$field.'`=?';}, $fields)).' WHERE Id=?'; $sql = 'UPDATE `'.$table.'` SET '.implode(', ', array_map(function($field) {return '`'.$field.'`=?';}, $fields)).' WHERE Id=?';
$values = array_map(function($field){ return $this->{$field};}, $fields); $values = array_map(function($field){ return $this->{$field};}, $fields);
$values[] = $this->{'Id'}; $values[] = $this->{'Id'};
if ( dbQuery($sql, $values) ) if ( dbQuery($sql, $values) )
@ -314,8 +314,8 @@ class ZM_Object {
} else { } else {
unset($fields['Id']); unset($fields['Id']);
$sql = 'INSERT INTO '.$table. $sql = 'INSERT INTO `'.$table.
' ('.implode(', ', array_map(function($field) {return '`'.$field.'`';}, $fields)). '` ('.implode(', ', array_map(function($field) {return '`'.$field.'`';}, $fields)).
') VALUES ('. ') VALUES ('.
implode(', ', array_map(function($field){return '?';}, $fields)).')'; implode(', ', array_map(function($field){return '?';}, $fields)).')';