Connection::quote() can only quote strings

0db36a96 · Sergei Morozov · 94b6980f · 0db36a96 · 0db36a96 · 0db36a96
Unverified Commit 0db36a96 authored Mar 15, 2019 by Sergei Morozov
15 changed files
--- a/UPGRADE.md
+++ b/UPGRADE.md
 # Upgrade to 3.0
+## BC BREAK `Statement::quote()` only accepts strings.
+`Statement::quote()` and `ExpressionBuilder::literal()` no longer accept arguments of an arbitrary type and and don't implement type-specific handling. Only strings can be quoted.
 ## BC BREAK `Statement` and `Connection` methods return `void`.
 `Connection::connect()`, `Statement::bindParam()`, `::bindValue()`, `::execute()`, `ResultStatement::setFetchMode()` and `::closeCursor()` no longer return a boolean value. They will throw an exception in case of failure.

--- a/lib/Doctrine/DBAL/Connection.php
+++ b/lib/Doctrine/DBAL/Connection.php
@@ -817,13 +817,9 @@ class Connection implements DriverConnection
    /**
     * {@inheritDoc}
     */
-    public function quote($input, $type = null)
+    public function quote(string $input) : string
    {
-        $connection = $this->getWrappedConnection();
+        return $this->getWrappedConnection()->quote($input);
-        [$value, $bindingType] = $this->getBindingInfo($input, $type);
-        return $connection->quote($value, $bindingType);
    }
    /**

--- a/lib/Doctrine/DBAL/Driver/Connection.php
+++ b/lib/Doctrine/DBAL/Driver/Connection.php
@@ -3,7 +3,6 @@
 namespace Doctrine\DBAL\Driver;
 use Doctrine\DBAL\DBALException;
-use Doctrine\DBAL\ParameterType;
 /**
 * Connection interface.
@@ -27,13 +26,8 @@ interface Connection
    /**
     * Quotes a string for use in a query.
-     *
-     * @param mixed $input
-     * @param int   $type
-     *
-     * @return mixed
     */
-    public function quote($input, $type = ParameterType::STRING);
+    public function quote(string $input) : string;
    /**
     * Executes an SQL statement and return the number of affected rows.

--- a/lib/Doctrine/DBAL/Driver/IBMDB2/DB2Connection.php
+++ b/lib/Doctrine/DBAL/Driver/IBMDB2/DB2Connection.php
@@ -6,7 +6,6 @@ use Doctrine\DBAL\Driver\Connection;
 use Doctrine\DBAL\Driver\ResultStatement;
 use Doctrine\DBAL\Driver\ServerInfoAwareConnection;
 use Doctrine\DBAL\Driver\Statement as DriverStatement;
-use Doctrine\DBAL\ParameterType;
 use stdClass;
 use const DB2_AUTOCOMMIT_OFF;
 use const DB2_AUTOCOMMIT_ON;
@@ -101,15 +100,9 @@ class DB2Connection implements Connection, ServerInfoAwareConnection
    /**
     * {@inheritdoc}
     */
-    public function quote($input, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        $input = db2_escape_string($input);
+        return "'" . db2_escape_string($input) . "'";
-        if ($type === ParameterType::INTEGER) {
-            return $input;
-        }
-        return "'" . $input . "'";
    }
    /**

--- a/lib/Doctrine/DBAL/Driver/Mysqli/MysqliConnection.php
+++ b/lib/Doctrine/DBAL/Driver/Mysqli/MysqliConnection.php
@@ -7,7 +7,6 @@ use Doctrine\DBAL\Driver\PingableConnection;
 use Doctrine\DBAL\Driver\ResultStatement;
 use Doctrine\DBAL\Driver\ServerInfoAwareConnection;
 use Doctrine\DBAL\Driver\Statement as DriverStatement;
-use Doctrine\DBAL\ParameterType;
 use mysqli;
 use const MYSQLI_INIT_COMMAND;
 use const MYSQLI_OPT_CONNECT_TIMEOUT;
@@ -146,7 +145,7 @@ class MysqliConnection implements Connection, PingableConnection, ServerInfoAwar
    /**
     * {@inheritdoc}
     */
-    public function quote($input, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
        return "'" . $this->conn->escape_string($input) . "'";
    }

--- a/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
+++ b/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
@@ -6,14 +6,11 @@ use Doctrine\DBAL\Driver\Connection;
 use Doctrine\DBAL\Driver\ResultStatement;
 use Doctrine\DBAL\Driver\ServerInfoAwareConnection;
 use Doctrine\DBAL\Driver\Statement as DriverStatement;
-use Doctrine\DBAL\ParameterType;
 use UnexpectedValueException;
 use const OCI_COMMIT_ON_SUCCESS;
 use const OCI_DEFAULT;
 use const OCI_NO_AUTO_COMMIT;
 use function addcslashes;
-use function is_float;
-use function is_int;
 use function oci_commit;
 use function oci_connect;
 use function oci_error;
@@ -123,14 +120,9 @@ class OCI8Connection implements Connection, ServerInfoAwareConnection
    /**
     * {@inheritdoc}
     */
-    public function quote($value, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        if (is_int($value) || is_float($value)) {
+        return "'" . addcslashes(str_replace("'", "''", $input), "\000\n\r\\\032") . "'";
-            return $value;
-        }
-        $value = str_replace("'", "''", $value);
-        return "'" . addcslashes($value, "\000\n\r\\\032") . "'";
    }
    /**

--- a/lib/Doctrine/DBAL/Driver/PDOConnection.php
+++ b/lib/Doctrine/DBAL/Driver/PDOConnection.php
@@ -2,7 +2,6 @@
 namespace Doctrine\DBAL\Driver;
-use Doctrine\DBAL\ParameterType;
 use PDO;
 use function assert;
@@ -86,9 +85,9 @@ class PDOConnection implements Connection, ServerInfoAwareConnection
    /**
     * {@inheritdoc}
     */
-    public function quote($input, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        return $this->connection->quote($input, $type);
+        return $this->connection->quote($input);
    }
    /**

--- a/lib/Doctrine/DBAL/Driver/PDOSqlsrv/Connection.php
+++ b/lib/Doctrine/DBAL/Driver/PDOSqlsrv/Connection.php
@@ -4,7 +4,6 @@ namespace Doctrine\DBAL\Driver\PDOSqlsrv;
 use Doctrine\DBAL\Driver\PDOConnection;
 use Doctrine\DBAL\Driver\PDOStatement;
-use Doctrine\DBAL\ParameterType;
 use function strpos;
 use function substr;
@@ -31,9 +30,9 @@ class Connection extends PDOConnection
    /**
     * {@inheritDoc}
     */
-    public function quote($value, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        $val = parent::quote($value, $type);
+        $val = parent::quote($input);
        // Fix for a driver version terminating all values with null byte
        if (strpos($val, "\0") !== false) {

--- a/lib/Doctrine/DBAL/Driver/SQLAnywhere/SQLAnywhereConnection.php
+++ b/lib/Doctrine/DBAL/Driver/SQLAnywhere/SQLAnywhereConnection.php
@@ -6,10 +6,7 @@ use Doctrine\DBAL\Driver\Connection;
 use Doctrine\DBAL\Driver\ResultStatement;
 use Doctrine\DBAL\Driver\ServerInfoAwareConnection;
 use Doctrine\DBAL\Driver\Statement as DriverStatement;
-use Doctrine\DBAL\ParameterType;
 use function assert;
-use function is_float;
-use function is_int;
 use function is_resource;
 use function is_string;
 use function sasql_affected_rows;
@@ -159,12 +156,8 @@ class SQLAnywhereConnection implements Connection, ServerInfoAwareConnection
    /**
     * {@inheritdoc}
     */
-    public function quote($input, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        if (is_int($input) || is_float($input)) {
-            return $input;
-        }
        return "'" . sasql_escape_string($this->connection, $input) . "'";
    }

--- a/lib/Doctrine/DBAL/Driver/SQLSrv/SQLSrvConnection.php
+++ b/lib/Doctrine/DBAL/Driver/SQLSrv/SQLSrvConnection.php
@@ -6,11 +6,7 @@ use Doctrine\DBAL\Driver\Connection;
 use Doctrine\DBAL\Driver\ResultStatement;
 use Doctrine\DBAL\Driver\ServerInfoAwareConnection;
 use Doctrine\DBAL\Driver\Statement as DriverStatement;
-use Doctrine\DBAL\ParameterType;
 use const SQLSRV_ERR_ERRORS;
-use function is_float;
-use function is_int;
-use function sprintf;
 use function sqlsrv_begin_transaction;
 use function sqlsrv_commit;
 use function sqlsrv_configure;
@@ -95,17 +91,9 @@ class SQLSrvConnection implements Connection, ServerInfoAwareConnection
    /**
     * {@inheritDoc}
     */
-    public function quote($value, $type = ParameterType::STRING)
+    public function quote(string $input) : string
    {
-        if (is_int($value)) {
+        return "'" . str_replace("'", "''", $input) . "'";
-            return $value;
-        }
-        if (is_float($value)) {
-            return sprintf('%F', $value);
-        }
-        return "'" . str_replace("'", "''", $value) . "'";
    }
    /**

--- a/lib/Doctrine/DBAL/Query/Expression/ExpressionBuilder.php
+++ b/lib/Doctrine/DBAL/Query/Expression/ExpressionBuilder.php
@@ -284,15 +284,10 @@ class ExpressionBuilder
    }
    /**
-     * Quotes a given input parameter.
+     * Creates an SQL literal expression from the string.
-     *
-     * @param mixed    $input The parameter to be quoted.
-     * @param int|null $type  The type of the parameter.
-     *
-     * @return string
     */
-    public function literal($input, $type = null)
+    public function literal(string $input)
    {
-        return $this->connection->quote($input, $type);
+        return $this->connection->quote($input);
    }
 }
--- a/lib/Doctrine/DBAL/Sharding/SQLAzure/SQLAzureShardManager.php
+++ b/lib/Doctrine/DBAL/Sharding/SQLAzure/SQLAzureShardManager.php
@@ -202,7 +202,7 @@ class SQLAzureShardManager implements ShardManager
        $sql = 'ALTER FEDERATION ' . $this->getFederationName() . ' ' .
               'SPLIT AT (' . $this->getDistributionKey() . ' = ' .
-               $this->conn->quote($splitDistributionValue, $type->getBindingType()) . ')';
+               $this->conn->quote($splitDistributionValue) . ')';
        $this->conn->exec($sql);
    }
 }
--- a/tests/Doctrine/Tests/DBAL/Functional/ConnectionTest.php
+++ b/tests/Doctrine/Tests/DBAL/Functional/ConnectionTest.php
@@ -6,9 +6,7 @@ use Doctrine\DBAL\Connection;
 use Doctrine\DBAL\ConnectionException;
 use Doctrine\DBAL\Driver\Connection as DriverConnection;
 use Doctrine\DBAL\DriverManager;
-use Doctrine\DBAL\ParameterType;
 use Doctrine\DBAL\Platforms\AbstractPlatform;
-use Doctrine\DBAL\Types\Types;
 use Doctrine\Tests\DbalFunctionalTestCase;
 use Error;
 use Exception;
@@ -287,8 +285,8 @@ class ConnectionTest extends DbalFunctionalTestCase
    public function testQuote() : void
    {
        self::assertEquals(
-            $this->connection->quote('foo', Types::STRING),
+            $this->connection->quote('foo'),
-            $this->connection->quote('foo', ParameterType::STRING)
+            $this->connection->quote('foo')
        );
    }

--- a/tests/Doctrine/Tests/DBAL/Functional/DataAccessTest.php
+++ b/tests/Doctrine/Tests/DBAL/Functional/DataAccessTest.php
@@ -177,9 +177,9 @@ class DataAccessTest extends DbalFunctionalTestCase
        $paramStr = 'foo';
        $stmt = $this->connection->prepare(sprintf(
-            'SELECT test_int, test_string FROM %s WHERE test_int = %s AND test_string = %s',
+            'SELECT test_int, test_string FROM %s WHERE test_int = %d AND test_string = %s',
            $this->connection->quoteIdentifier($table),
-            $this->connection->quote($paramInt),
+            $paramInt,
            $this->connection->quote($paramStr)
        ));
        self::assertInstanceOf(Statement::class, $stmt);

--- a/tests/Doctrine/Tests/DBAL/Functional/WriteTest.php
+++ b/tests/Doctrine/Tests/DBAL/Functional/WriteTest.php
@@ -46,7 +46,7 @@ class WriteTest extends DbalFunctionalTestCase
    public function testExecuteUpdate() : void
    {
-        $sql      = 'INSERT INTO write_table (test_int) VALUES ( ' . $this->connection->quote(1) . ')';
+        $sql      = 'INSERT INTO write_table (test_int) VALUES (1)';
        $affected = $this->connection->executeUpdate($sql);
        self::assertEquals(1, $affected, 'executeUpdate() should return the number of affected rows!');