From 473a0a12f54bc0e7e2d04bace6914fc3a16a8c64 Mon Sep 17 00:00:00 2001
From: Leo Feyer <github@contao.org>
Date: Thu, 31 Oct 2019 13:43:12 +0100
Subject: [PATCH] Quote the identifiers in the back end filter menu (see #906)

Description
-----------

Fixes #847

Commits
-------

24928cb3 Quote the identifiers in the back end filter menu (see #847)
---
 src/Resources/contao/drivers/DC_Table.php | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/Resources/contao/drivers/DC_Table.php b/src/Resources/contao/drivers/DC_Table.php
index 021ba7aab7..b78e80d3db 100644
--- a/src/Resources/contao/drivers/DC_Table.php
+++ b/src/Resources/contao/drivers/DC_Table.php
@@ -5471,6 +5471,8 @@ protected function filterMenu($intFilterPanel)
 		{
 			foreach ($sortingFields as $field)
 			{
+				$what = Database::quoteIdentifier($field);
+
 				if (isset($session['filter'][$filter][$field]))
 				{
 					// Sort by day
@@ -5478,12 +5480,12 @@ protected function filterMenu($intFilterPanel)
 					{
 						if ($session['filter'][$filter][$field] == '')
 						{
-							$this->procedure[] = $field . "=''";
+							$this->procedure[] = $what . "=''";
 						}
 						else
 						{
 							$objDate = new \Date($session['filter'][$filter][$field]);
-							$this->procedure[] = $field . ' BETWEEN ? AND ?';
+							$this->procedure[] = $what . ' BETWEEN ? AND ?';
 							$this->values[] = $objDate->dayBegin;
 							$this->values[] = $objDate->dayEnd;
 						}
@@ -5494,12 +5496,12 @@ protected function filterMenu($intFilterPanel)
 					{
 						if ($session['filter'][$filter][$field] == '')
 						{
-							$this->procedure[] = $field . "=''";
+							$this->procedure[] = $what . "=''";
 						}
 						else
 						{
 							$objDate = new \Date($session['filter'][$filter][$field]);
-							$this->procedure[] = $field . ' BETWEEN ? AND ?';
+							$this->procedure[] = $what . ' BETWEEN ? AND ?';
 							$this->values[] = $objDate->monthBegin;
 							$this->values[] = $objDate->monthEnd;
 						}
@@ -5510,12 +5512,12 @@ protected function filterMenu($intFilterPanel)
 					{
 						if ($session['filter'][$filter][$field] == '')
 						{
-							$this->procedure[] = $field . "=''";
+							$this->procedure[] = $what . "=''";
 						}
 						else
 						{
 							$objDate = new \Date($session['filter'][$filter][$field]);
-							$this->procedure[] = $field . ' BETWEEN ? AND ?';
+							$this->procedure[] = $what . ' BETWEEN ? AND ?';
 							$this->values[] = $objDate->yearBegin;
 							$this->values[] = $objDate->yearEnd;
 						}
@@ -5532,7 +5534,7 @@ protected function filterMenu($intFilterPanel)
 						}
 						else
 						{
-							$this->procedure[] = $field . ' LIKE ?';
+							$this->procedure[] = $what . ' LIKE ?';
 							$this->values[] = '%"' . $session['filter'][$filter][$field] . '"%';
 						}
 					}
@@ -5540,7 +5542,7 @@ protected function filterMenu($intFilterPanel)
 					// Other sort algorithm
 					else
 					{
-						$this->procedure[] = $field . '=?';
+						$this->procedure[] = $what . '=?';
 						$this->values[] = $session['filter'][$filter][$field];
 					}
 				}