Fix check if table exists #16581

sgiehl · 2020-10-16T12:14:37Z

tsteur · 2020-10-18T20:29:17Z

core/DbHelper.php

@@ -37,7 +37,7 @@ public static function getTablesInstalled($forceReload = true)
     */
    public static function tableExists($tableName)
    {
-        return Db::get()->query("SHOW TABLES LIKE ?", $tableName)->rowCount() > 0;


Do bind parameters not work there basically @sgiehl ? If we prefix below, then we could also do an equal = comparison and not like?

Couldn't find any reliable information on that, but found various reports that variables don't work in SHOW TABLES query. Switching to an equal isn't possible in that case I guess as SHOW TABLES LIKE is a predefined construct, at least I wouldn't know how to convert that to a where condition that works...

tsteur · 2020-10-18T20:30:12Z

core/DbHelper.php

@@ -37,7 +37,7 @@ public static function getTablesInstalled($forceReload = true)
     */
    public static function tableExists($tableName)
    {
-        return Db::get()->query("SHOW TABLES LIKE ?", $tableName)->rowCount() > 0;
+        return Db::get()->query(sprintf("SHOW TABLES LIKE '%s'", $tableName))->rowCount() > 0;


could maybe add a comment to the function to not use user input as table name to prevent SQL injections but that kind of applies everywhere for tables in Matomo anyway. At the same time might not hurt to mention it

Could also just remove ' characters from $tableName?

this alone would probably not prevent injections. wouldn't hurt though to do it additionally.

out of curiosity, what kind of value would get past that? I guess we could also remove '"; and the backtick characters?

@diosmosis it depends on the use cases and how it's used. Eg you could trick Matomo into thinking the table is there or not there, or find out what tables exist by changing the input, etc. Make use of _ and %...

👍 that makes sense.

Fix check if table exists

3b4c00c

sgiehl added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Oct 16, 2020

sgiehl added this to the 4.0.0-RC milestone Oct 16, 2020

tsteur reviewed Oct 18, 2020

View reviewed changes

sgiehl and others added 2 commits October 19, 2020 09:19

add comment to avoid user input

f69f370

fix query was not working

9a06429

tsteur merged commit 6029f2c into 4.x-dev Oct 19, 2020

tsteur deleted the fixtblexists branch October 19, 2020 19:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix check if table exists #16581

Fix check if table exists #16581

sgiehl commented Oct 16, 2020

tsteur Oct 18, 2020

sgiehl Oct 19, 2020

tsteur Oct 18, 2020

diosmosis Oct 18, 2020

tsteur Oct 19, 2020

diosmosis Oct 19, 2020 •

edited

tsteur Oct 19, 2020

diosmosis Oct 19, 2020

sgiehl Oct 19, 2020

Fix check if table exists #16581

Fix check if table exists #16581

Conversation

sgiehl commented Oct 16, 2020

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

diosmosis Oct 19, 2020 • edited

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

diosmosis Oct 19, 2020 •

edited