From 74698af402e0d8a4efe90d2db3591fb20b5ecf03 Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@silverstripe.com>
Date: Wed, 7 Nov 2018 12:12:44 +0200
Subject: [PATCH] [SS-2018-020] Ensure that table names are escaped to prevent
 possible SQL injection

---
 src/ORM/DataObjectSchema.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ORM/DataObjectSchema.php b/src/ORM/DataObjectSchema.php
index e14821615..ab694f28e 100644
--- a/src/ORM/DataObjectSchema.php
+++ b/src/ORM/DataObjectSchema.php
@@ -8,6 +8,7 @@ use LogicException;
 use SilverStripe\Core\ClassInfo;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Config\Configurable;
+use SilverStripe\Core\Convert;
 use SilverStripe\Core\Injector\Injectable;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Dev\TestOnly;
@@ -127,7 +128,7 @@ class DataObjectSchema
         $tables = $this->getTableNames();
         $class = ClassInfo::class_name($class);
         if (isset($tables[$class])) {
-            return $tables[$class];
+            return Convert::raw2sql($tables[$class]);
         }
         return null;
     }