From 1c3f5ba6ef9d2416d1b83d802ea83fa1df027805 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Mon, 25 Mar 2013 23:59:34 +0100
Subject: [PATCH 1/6] Properly prepare insertIfNotExist queries.

---
 lib/db.php | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/lib/db.php b/lib/db.php
index 9699b216f6..cfa3b6cb97 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -633,18 +633,20 @@ class OC_DB {
 		$type = self::$type;
 
 		$query = '';
+		$inserts = array_values($input);
 		// differences in escaping of table names ('`' for mysql) and getting the current timestamp
 		if( $type == 'sqlite' || $type == 'sqlite3' ) {
 			// NOTE: For SQLite we have to use this clumsy approach
 			// otherwise all fieldnames used must have a unique key.
 			$query = 'SELECT * FROM "' . $table . '" WHERE ';
 			foreach($input as $key => $value) {
-				$query .= $key . " = '" . $value . '\' AND ';
+				$query .= $key . ' = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			try {
 				$stmt = self::prepare($query);
-				$result = $stmt->execute();
+				$result = $stmt->execute($inserts);
+
 			} catch(PDOException $e) {
 				$entry = 'DB Error: "'.$e->getMessage() . '"<br />';
 				$entry .= 'Offending command was: ' . $query . '<br />';
@@ -653,27 +655,28 @@ class OC_DB {
 				OC_Template::printErrorPage( $entry );
 			}
 
-			if($result->numRows() == 0) {
+			if((int)$result->numRows() === 0) {
 				$query = 'INSERT INTO "' . $table . '" ("'
-					. implode('","', array_keys($input)) . '") VALUES("'
-					. implode('","', array_values($input)) . '")';
+					. implode('","', array_keys($input)) . '") VALUES('
+					. str_repeat('?,', count($input)-1).'? ' . ')';
 			} else {
 				return true;
 			}
 		} elseif( $type == 'pgsql' || $type == 'oci' || $type == 'mysql' || $type == 'mssql') {
-			$query = 'INSERT INTO `' .$table . '` ('
-				. implode(',', array_keys($input)) . ') SELECT \''
-				. implode('\',\'', array_values($input)) . '\' FROM ' . $table . ' WHERE ';
+			$query = 'INSERT INTO `' .$table . '` (`'
+				. implode('`,`', array_keys($input)) . '`) SELECT '
+				. str_repeat('?,', count($input)-1).'? ' // Is there a prettier alternative?
+				. 'FROM ' . $table . ' WHERE ';
 
 			foreach($input as $key => $value) {
-				$query .= $key . " = '" . $value . '\' AND ';
+				$query .= '`' . $key . '` = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			$query .= ' HAVING COUNT(*) = 0';
+			$inserts = array_merge($inserts, $inserts);
 		}
 
-		// TODO: oci should be use " (quote) instead of ` (backtick).
-		//OC_Log::write('core', __METHOD__ . ', type: ' . $type . ', query: ' . $query, OC_Log::DEBUG);
+		// TODO: oci should be use " (quote) instead of ` (backtick)?
 
 		try {
 			$result = self::prepare($query);
@@ -685,7 +688,7 @@ class OC_DB {
 			OC_Template::printErrorPage( $entry );
 		}
 
-		return $result->execute();
+		return $result->execute($inserts);
 	}
 
 	/**

From 07236800a7c676140b487a6bc22146921c9c88a2 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 26 Mar 2013 00:19:23 +0100
Subject: [PATCH 2/6] Quote key for SQLite.

---
 lib/db.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/db.php b/lib/db.php
index cfa3b6cb97..f7c43c2f77 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -640,7 +640,7 @@ class OC_DB {
 			// otherwise all fieldnames used must have a unique key.
 			$query = 'SELECT * FROM "' . $table . '" WHERE ';
 			foreach($input as $key => $value) {
-				$query .= $key . ' = ? AND ';
+				$query .= '"' .$key . '"' . ' = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			try {

From 5e8101639265d220f7b368c106f66a3f25cae386 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 26 Mar 2013 00:21:57 +0100
Subject: [PATCH 3/6] D'oh, why concatenate static strings.

---
 lib/db.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/db.php b/lib/db.php
index f7c43c2f77..30f41f449f 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -640,7 +640,7 @@ class OC_DB {
 			// otherwise all fieldnames used must have a unique key.
 			$query = 'SELECT * FROM "' . $table . '" WHERE ';
 			foreach($input as $key => $value) {
-				$query .= '"' .$key . '"' . ' = ? AND ';
+				$query .= '"' . $key . '" = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			try {

From 9d618005b6553fa4365865d9cfa430ccb7ad9ab6 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 26 Mar 2013 00:24:08 +0100
Subject: [PATCH 4/6] Missing backticks. Thx @Raydiation :)

---
 lib/db.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/db.php b/lib/db.php
index 30f41f449f..1a4b0a86c6 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -666,7 +666,7 @@ class OC_DB {
 			$query = 'INSERT INTO `' .$table . '` (`'
 				. implode('`,`', array_keys($input)) . '`) SELECT '
 				. str_repeat('?,', count($input)-1).'? ' // Is there a prettier alternative?
-				. 'FROM ' . $table . ' WHERE ';
+				. 'FROM `' . $table . '` WHERE ';
 
 			foreach($input as $key => $value) {
 				$query .= '`' . $key . '` = ? AND ';

From 5f53145eb06e06cf3127f204183bd74e0e479d10 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 26 Mar 2013 01:00:15 +0100
Subject: [PATCH 5/6] Double quotes to backticks

---
 lib/db.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/db.php b/lib/db.php
index 1a4b0a86c6..9d0b200790 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -638,9 +638,9 @@ class OC_DB {
 		if( $type == 'sqlite' || $type == 'sqlite3' ) {
 			// NOTE: For SQLite we have to use this clumsy approach
 			// otherwise all fieldnames used must have a unique key.
-			$query = 'SELECT * FROM "' . $table . '" WHERE ';
+			$query = 'SELECT * FROM `' . $table . '` WHERE ';
 			foreach($input as $key => $value) {
-				$query .= '"' . $key . '" = ? AND ';
+				$query .= '`' . $key . '` = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			try {
@@ -656,8 +656,8 @@ class OC_DB {
 			}
 
 			if((int)$result->numRows() === 0) {
-				$query = 'INSERT INTO "' . $table . '" ("'
-					. implode('","', array_keys($input)) . '") VALUES('
+				$query = 'INSERT INTO `' . $table . '` (`'
+					. implode('`,`', array_keys($input)) . '`) VALUES('
 					. str_repeat('?,', count($input)-1).'? ' . ')';
 			} else {
 				return true;

From 5b66b317b14779ca353f83036c7e87da09a57ac8 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 26 Mar 2013 01:01:38 +0100
Subject: [PATCH 6/6] And removing an irrelevant comment ;)

---
 lib/db.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/db.php b/lib/db.php
index 9d0b200790..5a91421f7a 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -676,8 +676,6 @@ class OC_DB {
 			$inserts = array_merge($inserts, $inserts);
 		}
 
-		// TODO: oci should be use " (quote) instead of ` (backtick)?
-
 		try {
 			$result = self::prepare($query);
 		} catch(PDOException $e) {