contao · ausi · Sep 25, 2017 · Toflar · Oct 26, 2017 · leofeyer
diff --git a/src/Resources/contao/drivers/DC_Table.php b/src/Resources/contao/drivers/DC_Table.php
@@ -3143,12 +3143,12 @@ protected function save($varValue)
 			{
 				if ($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['mode'] == 4)
 				{
-					$this->Database->prepare("UPDATE " . $this->strTable . " SET " . $this->strField . "='' WHERE pid=?")
+					$this->Database->prepare("UPDATE " . $this->strTable . " SET " . \Database::escapeColumnName($this->strField) . "='' WHERE pid=?")
 								   ->execute($this->activeRecord->pid);
 				}
 				else
 				{
-					$this->Database->execute("UPDATE " . $this->strTable . " SET " . $this->strField . "=''");
+					$this->Database->execute("UPDATE " . $this->strTable . " SET " . \Database::escapeColumnName($this->strField) . "=''");
 				}
 			}
 
@@ -3161,7 +3161,7 @@ protected function save($varValue)
 			$arrValues = $this->values;
 			array_unshift($arrValues, $varValue);
 
-			$objUpdateStmt = $this->Database->prepare("UPDATE " . $this->strTable . " SET " . $this->strField . "=? WHERE " . implode(' AND ', $this->procedure))
+			$objUpdateStmt = $this->Database->prepare("UPDATE " . $this->strTable . " SET " . \Database::escapeColumnName($this->strField) . "=? WHERE " . implode(' AND ', $this->procedure))
 											->execute($arrValues);
 
 			if ($objUpdateStmt->affectedRows)

diff --git a/src/Resources/contao/library/Contao/Database.php b/src/Resources/contao/library/Contao/Database.php
@@ -706,6 +706,36 @@ public function getUuid()
 	}
 
 
+	/**
+	 * Escape the column name if it a reserved word
+	 *
+	 * @param string $name
+	 *
+	 * @return string
+	 */
+	public static function escapeColumnName($name)
+	{
+		if (in_array($name, ['rows'], true)) {
+			$name = '`'.$name.'`';
+		}
+
+		return $name;
+	}
+
+
+	/**
+	 * Escape a list of column names
+	 *
+	 * @param string[] $names
+	 *
+	 * @return string[]
+	 */
+	public static function escapeColumnNames(array $names)
+	{
+		return array_map([static::class, 'escapeColumnName'], $names);
+	}
+
+
 	/**
 	 * Execute a query and do not cache the result
 	 *

diff --git a/src/Resources/contao/library/Contao/Database/Statement.php b/src/Resources/contao/library/Contao/Database/Statement.php
@@ -182,7 +182,7 @@ public function set($arrParams)
 		if (strncasecmp($this->strQuery, 'INSERT', 6) === 0)
 		{
 			$strQuery = sprintf('(%s) VALUES (%s)',
-								implode(', ', array_keys($arrParams)),
+								implode(', ', \Database::escapeColumnNames(array_keys($arrParams))),
 								str_replace('%', '%%', implode(', ', array_values($arrParams))));
 		}
 
@@ -193,7 +193,7 @@ public function set($arrParams)
 
 			foreach ($arrParams as $k=>$v)
 			{
-				$arrSet[] = $k . '=' . $v;
+				$arrSet[] = \Database::escapeColumnName($k) . '=' . $v;
 			}
 
 			$strQuery = 'SET ' . str_replace('%', '%%', implode(', ', $arrSet));

diff --git a/src/Resources/contao/library/Contao/Model/QueryBuilder.php b/src/Resources/contao/library/Contao/Model/QueryBuilder.php
@@ -68,7 +68,7 @@ public static function find(array $arrOptions)
 		// Where condition
 		if ($arrOptions['column'] !== null)
 		{
-			$strQuery .= " WHERE " . (is_array($arrOptions['column']) ? implode(" AND ", $arrOptions['column']) : $arrOptions['table'] . '.' . $arrOptions['column'] . "=?");
+			$strQuery .= " WHERE " . (is_array($arrOptions['column']) ? implode(" AND ", $arrOptions['column']) : $arrOptions['table'] . '.' . \Database::escapeColumnName($arrOptions['column']) . "=?");
 		}
 
 		// Group by