Allow editing function results

author Jakub Vrana <jakub@vrana.cz>

Wed, 23 Jan 2013 11:29:58 +0000 (03:29 -0800)

committer Jakub Vrana <jakub@vrana.cz>

Thu, 31 Jan 2013 07:47:52 +0000 (23:47 -0800)
author Jakub Vrana <jakub@vrana.cz>
Wed, 23 Jan 2013 11:29:58 +0000 (03:29 -0800)
committer Jakub Vrana <jakub@vrana.cz>
Thu, 31 Jan 2013 07:47:52 +0000 (23:47 -0800)
diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php

index 86923205243a3b1ac1f0c84b33088b9e5c2d8142..876318d7fef183c9587f1361a92c871d25480ed0 100644 (file)
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -335,8 +335,10 @@ function unique_array($row, $indexes) {
  function where($where, $fields = array()) {
         global $jush;
         $return = array();
+       $function_pattern = '(^[\w\(]+' . str_replace("_", ".*", preg_quote(idf_escape("_"))) . '\)+$)'; //! columns looking like functions
         foreach ((array) $where["where"] as $key => $val) {
-               $return[] = idf_escape(bracket_escape($key, 1)) // 1 - back
+               $key = bracket_escape($key, 1); // 1 - back
+               $return[] = (preg_match($function_pattern, $key) ? $key : idf_escape($key)) //! SQL injection
                         . (($jush == "sql" && ereg('\\.', $val)) || $jush == "mssql" ? " LIKE " . exact_value(addcslashes($val, "%_\\")) : " = " . unconvert_field($fields[$key], exact_value($val))) // LIKE because of floats, but slow with ints, in MS SQL because of text
                 ; //! enum and set
         }
author	Jakub Vrana <jakub@vrana.cz>
	Wed, 23 Jan 2013 11:29:58 +0000 (03:29 -0800)
committer	Jakub Vrana <jakub@vrana.cz>
	Thu, 31 Jan 2013 07:47:52 +0000 (23:47 -0800)