Split off sanitize to a separate method

GetDKAN · Aug 30, 2024 · f8d4c7e · f8d4c7e
1 parent 150a1ad
commit f8d4c7e
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/modules/common/src/Storage/SelectFactory.php b/modules/common/src/Storage/SelectFactory.php
@@ -104,10 +104,8 @@ private function setQueryProperties(Query $query) {
   private function addDateExpressions($db_query, $fields, $meta_data) {
     foreach ($meta_data as $definition) {
       // Confirm definition name is in the fields list.
-      $name = $this->dbQuery->escapeField($definition['name']);
-      $sanitizedName = $fields[$name]['field'];
-      if ($sanitizedName && $definition['type'] == 'date') {
-        $db_query->addExpression("DATE_FORMAT(" . $sanitizedName . ", '" . $definition['format'] . "')", $sanitizedName);
+      if ($fields[$definition['name']]['field'] && $definition['type'] == 'date') {
+        $db_query->addExpression("DATE_FORMAT(" . $definition['name'] . ", '" . $definition['format'] . "')", $definition['name']);
       }
     }
   }
@@ -123,6 +121,7 @@ private function setQueryProperty(mixed $property) {
     if (isset($property->expression)) {
       $expressionStr = $this->expressionToString($property->expression);
       $this->dbQuery->addExpression($expressionStr, $property->alias);
+
     }
     else {
       $property = $this->normalizeProperty($property);
@@ -143,7 +142,7 @@ private function normalizeProperty(mixed $property): object {
     if (is_string($property) && self::safeProperty($property)) {
       return (object) [
         "collection" => $this->alias,
-        "property" => $this->dbQuery->escapeField($property),
+        "property" => $property,
         "alias" => NULL,
       ];
     }
@@ -152,6 +151,10 @@ private function normalizeProperty(mixed $property): object {
     }
     // Throw exception if obviously unsafe property name.
     self::safeProperty($property->property);
+    return $property;
+  }
+
+  private function sanitizeProperty(object $property) {
     // Sanitize the property name.
     $property->property = $this->dbQuery->escapeField($property->property);
     $property->alias = isset($property->alias) ? $this->connection->escapeAlias($property->alias) : NULL;
@@ -254,6 +257,7 @@ private function normalizeOperand(mixed $operand) {
    */
   private function propertyToString(mixed $property) {
     $property = $this->normalizeProperty($property);
+    $property = $this->sanitizeProperty($property);
     return "{$property->collection}.{$property->property}";
   }