Merge pull request #842 from helicon-os/DBAL-1205

Fixed incorrect handling of single quotes in SQL-Strings

Merge pull request #842 from helicon-os/DBAL-1205
Fixed incorrect handling of single quotes in SQL-Strings
a2701b52 · Steve Müller · f5f99cd4 · 12d40876 · a2701b52 · a2701b52
Commit a2701b52 authored Jan 10, 2016 by Steve Müller
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

SQLParserUtils.php lib/Doctrine/DBAL/SQLParserUtils.php +1 -1

SQLParserUtilsTest.php tests/Doctrine/Tests/DBAL/SQLParserUtilsTest.php +22 -0

No files found.
--- a/lib/Doctrine/DBAL/SQLParserUtils.php
+++ b/lib/Doctrine/DBAL/SQLParserUtils.php
@@ -32,7 +32,7 @@ class SQLParserUtils
    const NAMED_TOKEN      = '(?<!:):[a-zA-Z_][a-zA-Z0-9_]*';

    // Quote characters within string literals can be preceded by a backslash.
-    const ESCAPED_SINGLE_QUOTED_TEXT = "'(?:[^'\\\\]|\\\\'?)*'";
+    const ESCAPED_SINGLE_QUOTED_TEXT = "'(?:[^'\\\\]|\\\\'?|'')*'";
    const ESCAPED_DOUBLE_QUOTED_TEXT = '"(?:[^"\\\\]|\\\\"?)*"';
    const ESCAPED_BACKTICK_QUOTED_TEXT = '`(?:[^`\\\\]|\\\\`?)*`';
    const ESCAPED_BRACKET_QUOTED_TEXT = '\[(?:[^\]])*\]';

--- a/tests/Doctrine/Tests/DBAL/SQLParserUtilsTest.php
+++ b/tests/Doctrine/Tests/DBAL/SQLParserUtilsTest.php
@@ -53,6 +53,19 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase
            array('SELECT foo::date as date FROM Foo WHERE bar > :start_date AND baz > :start_date', false, array(46 => 'start_date', 68 =>  'start_date')), // Ticket GH-259
            array('SELECT `d.ns:col_name` FROM my_table d WHERE `d.date` >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552
            array('SELECT [d.ns:col_name] FROM my_table d WHERE [d.date] >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552
+            array(
+<<<'SQLDATA'
+SELECT * FROM foo WHERE 
+bar = ':not_a_param1 ''":not_a_param2"'''
+OR bar=:a_param1
+OR bar=:a_param2||':not_a_param3'
+OR bar=':not_a_param4 '':not_a_param5'' :not_a_param6'
+OR bar=''
+OR bar=:a_param3
+SQLDATA
+                , false, array(74 => 'a_param1', 91 => 'a_param2', 190 => 'a_param3')
+            ),
+            
        );
    }

@@ -334,6 +347,15 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase
                array(1, null),
                array(\PDO::PARAM_INT, \PDO::PARAM_NULL)
            ),
+            // DBAL-1205 - Escaped single quotes SQL- and C-Style
+            array(
+                "SELECT * FROM Foo WHERE foo = :foo||''':not_a_param''\\'' OR bar = ''':not_a_param''\\'':bar",
+                array(':foo' => 1, ':bar' => 2),
+                array(':foo' => \PDO::PARAM_INT, 'bar' => \PDO::PARAM_INT),
+                'SELECT * FROM Foo WHERE foo = ?||\'\'\':not_a_param\'\'\\\'\' OR bar = \'\'\':not_a_param\'\'\\\'\'?',
+                array(1, 2),
+                array(\PDO::PARAM_INT, \PDO::PARAM_INT)
+            ),
        );
    }