Improved regex for SQL group, order, from

[ezimuel]

This is an improvement of Zend_Db_Select regarding the SQL regular expressions used in oder(), group() and from() functions. This fix is based on the feedbacks received in zf-security mailing list, about security advisory ZF2014-04. After some discussion, the reporters have decided that this is an application issue rather than an framework issue; however, we felt we could make the functionality more robust regardless.

[croensch]

What about functions with underscore like DATE_FORMAT()? I guess i would have to wrap that in Zend_Db_Expr myself.

[froschdesign]

@croensch

I guess i would have to wrap that in Zend_Db_Expr myself.

Right.

Ping @ezimuel for confirmation.

[Ezo]

Just curious here.

As i wasn't wrapping all my expressions in Zend_Db_Expr, upgrading my (old) project to ZF1.2.8 broke some queries.
Of course it's good practice to use Zend_Db_Expr, but shouldn't a minor update be backward compatible?

[mpichot]

Hi there,

This improve broke some order by like new Zend_Db_Expr('TO_DAYS(STR_TO_DATE('.$field.',"%d/%m/%Y"))'). It results in TO_DAYS(STR_TO_DATE(debut,"%d/%m/%Y")). The back quotes are bad there. It must be TO_DAYS(STR_TO_DATE(debut,"%d/%m/%Y")).

Do I miss something ?

[druidvav]

This PR caused a bug: #424

[ezimuel]

I'm sorry that this "improvement" has break some code. We did this for security reason, see ZF2014-04. To fix this in existing code, you should use Zend_Db_Expr if your order(), group() or from() statements contain complex SQL statemente with nested functions.