From d0f2f72b7e2c8bb3389140671be9929779fc3925 Mon Sep 17 00:00:00 2001
From: iszmais <iszmais@databay.de>
Date: Mon, 28 Aug 2023 15:25:40 +0200
Subject: [PATCH] fix sql quotation of identifiers

---
 .../Database/classes/PDO/class.ilDBPdo.php    | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/Services/Database/classes/PDO/class.ilDBPdo.php b/Services/Database/classes/PDO/class.ilDBPdo.php
index 484a30cc5e6b..0c2ef6785118 100644
--- a/Services/Database/classes/PDO/class.ilDBPdo.php
+++ b/Services/Database/classes/PDO/class.ilDBPdo.php
@@ -1,5 +1,19 @@
 <?php
-/* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */
+/**
+ * This file is part of ILIAS, a powerful learning management system
+ * published by ILIAS open source e-Learning e.V.
+ *
+ * ILIAS is licensed with the GPL-3.0,
+ * see https://www.gnu.org/licenses/gpl-3.0.en.html
+ * You should have received a copy of said license along with the
+ * source code, too.
+ *
+ * If this is not the case or you just want to try ILIAS, you'll find
+ * us at:
+ * https://www.ilias.de
+ * https://github.com/ILIAS-eLearning
+ *
+ *********************************************************************/
 
 /**
  * Class pdoDB
@@ -687,13 +701,13 @@ public function update($table_name, $columns, $where)
             $q = "UPDATE " . $this->quoteIdentifier($table_name) . " SET ";
             $lim = "";
             foreach ($fields as $k => $field) {
-                $q .= $lim . $field . " = " . $placeholders_full[$k];
+                $q .= $lim . $this->quoteIdentifier($field) . " = " . $placeholders_full[$k];
                 $lim = ", ";
             }
             $q .= " WHERE ";
             $lim = "";
             foreach ($where as $k => $col) {
-                $q .= $lim . $k . " = " . $this->quote($col[1], $col[0]);
+                $q .= $lim . $this->quoteIdentifier($k) . " = " . $this->quote($col[1], $col[0]);
                 $lim = " AND ";
             }
 
@@ -715,7 +729,7 @@ public function update($table_name, $columns, $where)
             $q .= " WHERE ";
             $lim = "";
             foreach ($where as $k => $col) {
-                $q .= $lim . $k . " = %s";
+                $q .= $lim . $this->quoteIdentifier($k) . " = %s";
                 $lim = " AND ";
             }
 
@@ -1144,7 +1158,7 @@ public function replace($table, $primaryKeys, $otherColumns)
         $values = array();
 
         foreach ($a_columns as $k => $col) {
-            $fields[] = $k;
+            $fields[] = $this->quoteIdentifier($k);
             $placeholders[] = "%s";
             $placeholders2[] = ":$k";
             $types[] = $col[0];