Merge branch 'jibriss-fix-postgresql-comment'

Close #657

lib/Doctrine/DBAL/Platforms/AbstractPlatform.php

@@ -1589,7 +1589,9 @@ abstract class AbstractPlatform
      */
     public function getCommentOnColumnSQL($tableName, $columnName, $comment)
     {
-        return "COMMENT ON COLUMN " . $tableName . "." . $columnName . " IS '" . $comment . "'";
+        $comment = $this->quoteStringLiteral($comment);
+
+        return "COMMENT ON COLUMN " . $tableName . "." . $columnName . " IS " . $comment;
     }
 
     /**
@@ -2201,7 +2203,7 @@ abstract class AbstractPlatform
         }
 
         if ($this->supportsInlineColumnComments() && isset($field['comment']) && $field['comment']) {
-            $columnDef .= " COMMENT '" . $field['comment'] . "'";
+            $columnDef .= " COMMENT " . $this->quoteStringLiteral($field['comment']);
         }
 
         return $name . ' ' . $columnDef;
@@ -3484,4 +3486,31 @@ abstract class AbstractPlatform
     {
         throw DBALException::notSupported(__METHOD__);
     }
+
+    /**
+     * Quotes a literal string.
+     * This method is NOT meant to fix SQL injections!
+     * It is only meant to escape this platform's string literal
+     * quote character inside the given literal string.
+     *
+     * @param string $str The literal string to be quoted.
+     *
+     * @return string The quoted literal string.
+     */
+    public function quoteStringLiteral($str)
+    {
+        $c = $this->getStringLiteralQuoteCharacter();
+
+        return $c . str_replace($c, $c . $c, $str) . $c;
+    }
+
+    /**
+     * Gets the character used for string literal quoting.
+     *
+     * @return string
+     */
+    public function getStringLiteralQuoteCharacter()
+    {
+        return "'";
+    }
 }

lib/Doctrine/DBAL/Platforms/DrizzlePlatform.php

@@ -275,7 +275,7 @@ class DrizzlePlatform extends AbstractPlatform
         if (isset($options['comment'])) {
             $comment = trim($options['comment'], " '");
 
-            $tableOptions[] = sprintf("COMMENT = '%s' ", str_replace("'", "''", $comment));
+            $tableOptions[] = sprintf("COMMENT = %s ", $this->quoteStringLiteral($comment));
         }
 
         // Row format

lib/Doctrine/DBAL/Platforms/MySqlPlatform.php

@@ -494,7 +494,7 @@ class MySqlPlatform extends AbstractPlatform
         if (isset($options['comment'])) {
             $comment = trim($options['comment'], " '");
 
-            $tableOptions[] = sprintf("COMMENT = '%s' ", str_replace("'", "''", $comment));
+            $tableOptions[] = sprintf("COMMENT = %s ", $this->quoteStringLiteral($comment));
         }
 
         // Row format

lib/Doctrine/DBAL/Platforms/PostgreSqlPlatform.php

@@ -615,7 +615,7 @@ class PostgreSqlPlatform extends AbstractPlatform
      */
     public function getCommentOnColumnSQL($tableName, $columnName, $comment)
     {
-        $comment = $comment === null ? 'NULL' : "'$comment'";
+        $comment = $comment === null ? 'NULL' : $this->quoteStringLiteral($comment);
 
         return "COMMENT ON COLUMN $tableName.$columnName IS $comment";
     }

lib/Doctrine/DBAL/Platforms/SQLAnywherePlatform.php

@@ -357,7 +357,7 @@ class SQLAnywherePlatform extends AbstractPlatform
      */
     public function getCommentOnColumnSQL($tableName, $columnName, $comment)
     {
-        $comment = $comment === null ? 'NULL' : "'$comment'";
+        $comment = $comment === null ? 'NULL' : $this->quoteStringLiteral($comment);
 
         return "COMMENT ON COLUMN $tableName.$columnName IS $comment";
     }

tests/Doctrine/Tests/DBAL/Functional/Schema/SchemaManagerFunctionalTestCase.php

@@ -869,4 +869,22 @@ class SchemaManagerFunctionalTestCase extends \Doctrine\Tests\DbalFunctionalTest
             $this->_sm->listTableForeignKeys($defaultSchemaName . '.' . $primaryTableName)
         );
     }
+
+    public function testCommentStringsAreQuoted()
+    {
+        if ( ! $this->_conn->getDatabasePlatform()->supportsInlineColumnComments() &&
+            ! $this->_conn->getDatabasePlatform()->supportsCommentOnStatement() &&
+            $this->_conn->getDatabasePlatform()->getName() != 'mssql') {
+            $this->markTestSkipped('Database does not support column comments.');
+        }
+
+        $table = new Table('my_table');
+        $table->addColumn('id', 'integer', array('comment' => "It's a comment with a quote"));
+        $table->setPrimaryKey(array('id'));
+
+        $this->_sm->createTable($table);
+
+        $columns = $this->_sm->listTableColumns("my_table");
+        $this->assertEquals("It's a comment with a quote", $columns['id']->getComment());
+    }
 }

tests/Doctrine/Tests/DBAL/Platforms/AbstractPlatformTestCase.php

@@ -860,4 +860,75 @@ abstract class AbstractPlatformTestCase extends \Doctrine\Tests\DbalTestCase
             'CREATE INDEX "bar" ON "schema"."table" (id)',
         );
     }
+
+    protected function getStringLiteralQuoteCharacter()
+    {
+        return "'";
+    }
+
+    public function testGetStringLiteralQuoteCharacter()
+    {
+        $this->assertSame($this->getStringLiteralQuoteCharacter(), $this->_platform->getStringLiteralQuoteCharacter());
+    }
+
+    protected function getQuotedCommentOnColumnSQLWithoutQuoteCharacter()
+    {
+        return "COMMENT ON COLUMN mytable.id IS 'This is a comment'";
+    }
+
+    public function testGetCommentOnColumnSQLWithoutQuoteCharacter()
+    {
+        $this->assertEquals(
+            $this->getQuotedCommentOnColumnSQLWithoutQuoteCharacter(),
+            $this->_platform->getCommentOnColumnSQL('mytable', 'id', 'This is a comment')
+        );
+    }
+
+    protected function getQuotedCommentOnColumnSQLWithQuoteCharacter()
+    {
+        return "COMMENT ON COLUMN mytable.id IS 'It''s a quote !'";
+    }
+
+    public function testGetCommentOnColumnSQLWithQuoteCharacter()
+    {
+        $c = $this->getStringLiteralQuoteCharacter();
+
+        $this->assertEquals(
+            $this->getQuotedCommentOnColumnSQLWithQuoteCharacter(),
+            $this->_platform->getCommentOnColumnSQL('mytable', 'id', "It" . $c . "s a quote !")
+        );
+    }
+
+    protected function getQuotedStringLiteralWithoutQuoteCharacter()
+    {
+        return "'No quote'";
+    }
+
+    protected function getQuotedStringLiteralWithQuoteCharacter()
+    {
+        return "'It''s a quote'";
+    }
+
+    protected function getQuotedStringLiteralQuoteCharacter()
+    {
+        return "''''";
+    }
+
+    public function testQuoteStringLiteral()
+    {
+        $c = $this->getStringLiteralQuoteCharacter();
+
+        $this->assertEquals(
+            $this->getQuotedStringLiteralWithoutQuoteCharacter(),
+            $this->_platform->quoteStringLiteral('No quote')
+        );
+        $this->assertEquals(
+            $this->getQuotedStringLiteralWithQuoteCharacter(),
+            $this->_platform->quoteStringLiteral('It' . $c . 's a quote')
+        );
+        $this->assertEquals(
+            $this->getQuotedStringLiteralQuoteCharacter(),
+            $this->_platform->quoteStringLiteral($c)
+        );
+    }
 }

tests/Doctrine/Tests/DBAL/Platforms/AbstractPostgreSqlPlatformTestCase.php

@@ -656,4 +656,12 @@ abstract class AbstractPostgreSqlPlatformTestCase extends AbstractPlatformTestCa
             'ALTER INDEX "schema"."foo" RENAME TO "bar"',
         );
     }
+
+    public function testGetNullCommentOnColumnSQL()
+    {
+        $this->assertEquals(
+            "COMMENT ON COLUMN mytable.id IS NULL",
+            $this->_platform->getCommentOnColumnSQL('mytable', 'id', null)
+        );
+    }
 }