From 6f67d0bdf802deb20f62b0fc827c076aef42fd31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hannu=20Po=CC=88lo=CC=88nen?= <hannu.polonen@nosto.com>
Date: Wed, 21 Dec 2016 10:31:21 +0200
Subject: [PATCH] Escape DB prefixes

---
 classes/helpers/config.php   |  4 ++--
 classes/helpers/customer.php |  2 +-
 classes/helpers/image.php    |  2 +-
 classes/helpers/url.php      |  2 +-
 classes/models/order.php     | 13 +++++++------
 upgrade/upgrade-1.1.0.php    |  4 ++--
 upgrade/upgrade-1.3.0.php    |  4 ++--
 upgrade/upgrade-2.1.0.php    |  6 +++---
 8 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/classes/helpers/config.php b/classes/helpers/config.php
index ed310f0f..5717a358 100644
--- a/classes/helpers/config.php
+++ b/classes/helpers/config.php
@@ -165,8 +165,8 @@ public function deleteAllFromContext($id_lang = null, $id_shop_group = null, $id
             $context_restriction = '';
         }
 
-        $config_table = _DB_PREFIX_ . 'configuration';
-        $config_lang_table = $config_table . '_lang';
+        $config_table = pSQL(_DB_PREFIX_ . 'configuration');
+        $config_lang_table = pSQL($config_table . '_lang');
 
         if (!empty($id_lang)) {
             Db::getInstance()->execute(
diff --git a/classes/helpers/customer.php b/classes/helpers/customer.php
index e564306c..0d1f79a7 100644
--- a/classes/helpers/customer.php
+++ b/classes/helpers/customer.php
@@ -51,7 +51,7 @@ public static function getCustomerLinkTableName()
      */
     public static function getCustomerReferenceTableName()
     {
-        return _DB_PREFIX_.self::TABLE_NAME_CUSTOMER_REFERENCE;
+        return pSQL(_DB_PREFIX_.self::TABLE_NAME_CUSTOMER_REFERENCE);
     }
 
     /**
diff --git a/classes/helpers/image.php b/classes/helpers/image.php
index 9ee08faf..591b2263 100644
--- a/classes/helpers/image.php
+++ b/classes/helpers/image.php
@@ -61,7 +61,7 @@ public function chooseOptimalImageType()
         $definition = (_PS_VERSION_ >= '1.5') ? ObjectModel::getDefinition('ImageType') : array();
         $table_name = isset($definition['table']) ? $definition['table'] : 'image_type';
         $available_image_types = Db::getInstance()->executeS('
-			SELECT * FROM `'._DB_PREFIX_.pSQL($table_name).'`
+			SELECT * FROM `'.pSQL(_DB_PREFIX_.$table_name).'`
 			WHERE `products` = 1
 			ORDER BY `width` ASC
 		');
diff --git a/classes/helpers/url.php b/classes/helpers/url.php
index 7428f753..9cccd5d5 100644
--- a/classes/helpers/url.php
+++ b/classes/helpers/url.php
@@ -45,7 +45,7 @@ public function getPreviewUrlProduct($id_product = null, $id_lang = null)
             // Find a product that is active and available for order.
                 $sql = '
                     SELECT `id_product`
-                    FROM `'._DB_PREFIX_.'product`
+                    FROM `'.pSQL(_DB_PREFIX_).'product`
                     WHERE `active` = 1
                     AND `available_for_order` = 1
                 ';
diff --git a/classes/models/order.php b/classes/models/order.php
index 56e730c3..e5173eb7 100644
--- a/classes/models/order.php
+++ b/classes/models/order.php
@@ -451,6 +451,7 @@ protected function getProductAttributeCombinationsById($product, $id_product_att
             return $product->getAttributeCombinationsById($id_product_attribute, $id_lang);
         }
 
+        $db_prefix = pSQL(_DB_PREFIX_);
         return Db::getInstance()->executeS(
             'SELECT
                 pa.*,
@@ -461,20 +462,20 @@ protected function getProductAttributeCombinationsById($product, $id_product_att
                 a.`id_attribute`,
                 pa.`unit_price_impact`
             FROM
-              `'._DB_PREFIX_.'product_attribute` pa
+              `'. $db_prefix .'product_attribute` pa
             LEFT JOIN
-                `'._DB_PREFIX_.'product_attribute_combination` pac
+                `'. $db_prefix .'product_attribute_combination` pac
                 ON pac.`id_product_attribute` = pa.`id_product_attribute`
             LEFT JOIN
-                `'._DB_PREFIX_.'attribute` a ON a.`id_attribute` = pac.`id_attribute`
+                `'. $db_prefix .'attribute` a ON a.`id_attribute` = pac.`id_attribute`
             LEFT JOIN
-                `'._DB_PREFIX_.'attribute_group` ag
+                `'. $db_prefix .'attribute_group` ag
                 ON ag.`id_attribute_group` = a.`id_attribute_group`
             LEFT JOIN
-                `'._DB_PREFIX_.'attribute_lang` al
+                `'. $db_prefix .'attribute_lang` al
                 ON (a.`id_attribute` = al.`id_attribute` AND al.`id_lang` = '.(int)($id_lang).')
             LEFT JOIN
-                `'._DB_PREFIX_.'attribute_group_lang` agl
+                `'. $db_prefix .'attribute_group_lang` agl
                 ON (
                     ag.`id_attribute_group` = agl.`id_attribute_group`
                     AND agl.`id_lang` = '.(int)($id_lang).'
diff --git a/upgrade/upgrade-1.1.0.php b/upgrade/upgrade-1.1.0.php
index fc6a22ae..6dc64a04 100644
--- a/upgrade/upgrade-1.1.0.php
+++ b/upgrade/upgrade-1.1.0.php
@@ -40,13 +40,13 @@
  */
 function upgrade_module_1_1_0($object)
 {
-    $create_table = 'CREATE TABLE IF NOT EXISTS `'._DB_PREFIX_.'nostotagging_customer_link` (
+    $create_table = 'CREATE TABLE IF NOT EXISTS `'.pSQL(_DB_PREFIX_).'nostotagging_customer_link` (
 						`id_customer` INT(10) UNSIGNED NOT NULL,
 						`id_nosto_customer` VARCHAR(255) NOT NULL,
 						`date_add` DATETIME NOT NULL,
 						`date_upd` DATETIME NULL,
 						PRIMARY KEY (`id_customer`, `id_nosto_customer`)
-					) ENGINE '._MYSQL_ENGINE_;
+					) ENGINE '.pSQL(_MYSQL_ENGINE_);
 
     return Db::getInstance()->execute($create_table)
         && $object->registerHook('actionPaymentConfirmation')
diff --git a/upgrade/upgrade-1.3.0.php b/upgrade/upgrade-1.3.0.php
index 6891a80d..7df6f147 100644
--- a/upgrade/upgrade-1.3.0.php
+++ b/upgrade/upgrade-1.3.0.php
@@ -41,8 +41,8 @@
 function upgrade_module_1_3_0($object)
 {
     // Purge the nosto configs the plugin have created so far and reload the config.
-    $config_table = _DB_PREFIX_.'configuration';
-    $config_lang_table = $config_table.'_lang';
+    $config_table = pSQL(_DB_PREFIX_.'configuration');
+    $config_lang_table = pSQL($config_table.'_lang');
     Db::getInstance()->execute('
 			DELETE `'.$config_lang_table.'` FROM `'.$config_lang_table.'`
 			LEFT JOIN `'.$config_table.'`
diff --git a/upgrade/upgrade-2.1.0.php b/upgrade/upgrade-2.1.0.php
index e8fe7a8b..413e9f53 100644
--- a/upgrade/upgrade-2.1.0.php
+++ b/upgrade/upgrade-2.1.0.php
@@ -39,14 +39,14 @@
  */
 function upgrade_module_2_1_0($object)
 {
-    $drop_table = 'DROP TABLE IF EXISTS `'._DB_PREFIX_.'nostotagging_customer_link`';
-    $create_table = 'CREATE TABLE IF NOT EXISTS `'._DB_PREFIX_.'nostotagging_customer_link` (
+    $drop_table = 'DROP TABLE IF EXISTS `'.pSQL(_DB_PREFIX_).'nostotagging_customer_link`';
+    $create_table = 'CREATE TABLE IF NOT EXISTS `'.pSQL(_DB_PREFIX_).'nostotagging_customer_link` (
 						`id_cart` INT(10) UNSIGNED NOT NULL,
 						`id_nosto_customer` VARCHAR(255) NOT NULL,
 						`date_add` DATETIME NOT NULL,
 						`date_upd` DATETIME NULL,
 						PRIMARY KEY (`id_cart`, `id_nosto_customer`)
-					) ENGINE '._MYSQL_ENGINE_;
+					) ENGINE '.pSQL(_MYSQL_ENGINE_);
 
     if (_PS_VERSION_ > '1.5') {
         $hooks = $object->registerHook('actionObjectDeleteAfter')