fix: require AS keyword for function/subquery aliases in isIdentifierEscapeExempt to prevent SQL injection bypass

gr8man · gr8man · commit 36f7f006180c · 2026-06-08T23:20:53.000+02:00
diff --git a/system/Database/BaseConnection.php b/system/Database/BaseConnection.php
@@ -1440,7 +1440,7 @@ public function escapeIdentifier($item): string
     private function isIdentifierEscapeExempt(string $item): bool
     {
         $item = trim($item);
-        
+
         if ($item === '') {
             return false;
         }
@@ -1458,7 +1458,7 @@ private function isIdentifierEscapeExempt(string $item): bool
         // SQL functions or subqueries (e.g. MAX(id), (SELECT ...)) with an optional alias
         if (str_contains($item, '(')) {
             // Regex matching balanced parentheses (from start to end or with a safe alias)
-            if (preg_match('/^(?:[a-zA-Z0-9_.]+\s*)?(?P<parens>\((?:[^()]+|(?&parens))*\))(?:\s+(?:AS\s+)?(?:[a-zA-Z0-9_.]+|"[^"]*"|\'[^\']*\'|`[^`]*`))?$/is', $item)) {
+            if (preg_match('/^(?:[a-zA-Z0-9_.]+\s*)?(?P<parens>\((?:[^()]+|(?&parens))*\))(?:\s+AS\s+(?:[a-zA-Z0-9_.]+|"[^"]*"|\'[^\']*\'|`[^`]*`))?$/is', $item)) {
                 return true;
             }
         }
diff --git a/tests/system/Database/BaseConnectionTest.php b/tests/system/Database/BaseConnectionTest.php
@@ -445,7 +445,7 @@ public static function provideProtectIdentifiers(): iterable
                 true,
                 true,
                 'COUNT(id) OR 1=1',
-                'COUNT(id) OR "1=1"',
+                '"COUNT(id) OR" "1=1"',
             ],
             'SQLi: Unbalanced parenthesis attack' => [
                 false,

Original file line number	Diff line number	Diff line change
`@@ -1440,7 +1440,7 @@ public function escapeIdentifier($item): string`
`1440`	`1440`	`private function isIdentifierEscapeExempt(string $item): bool`
`1441`	`1441`	`{`
`1442`	`1442`	`$item = trim($item);`
`1443`		`-`
	`1443`	`+`
`1444`	`1444`	`if ($item === '') {`
`1445`	`1445`	`return false;`
`1446`	`1446`	`}`
`@@ -1458,7 +1458,7 @@ private function isIdentifierEscapeExempt(string $item): bool`
`1458`	`1458`	`// SQL functions or subqueries (e.g. MAX(id), (SELECT ...)) with an optional alias`
`1459`	`1459`	`if (str_contains($item, '(')) {`
`1460`	`1460`	`// Regex matching balanced parentheses (from start to end or with a safe alias)`
`1461`		- if (preg_match('/^(?:[a-zA-Z0-9_.]+\s)?(?P<parens>\((?:[^()]+\|(?&parens))\))(?:\s+(?:AS\s+)?(?:[a-zA-Z0-9_.]+\|"[^"]"\|\'[^\']\'\|`[^`]*`))?$/is', $item)) {
	`1461`	+ if (preg_match('/^(?:[a-zA-Z0-9_.]+\s)?(?P<parens>\((?:[^()]+\|(?&parens))\))(?:\s+AS\s+(?:[a-zA-Z0-9_.]+\|"[^"]"\|\'[^\']\'\|`[^`]*`))?$/is', $item)) {
`1462`	`1462`	`return true;`
`1463`	`1463`	`}`
`1464`	`1464`	`}`