Skip to content

D
doctrine-dbal
Commit a2701b52 authored by Steve Müller's avatar Steve Müller
Browse files
Options

Merge pull request #842 from helicon-os/DBAL-1205 

Fixed incorrect handling of single quotes in SQL-Strings
parents f5f99cd4 12d40876
Hide whitespace changes
Inline Side-by-side
Showing with 23 additions and 1 deletion
lib/Doctrine/DBAL/SQLParserUtils.php
View file @ a2701b52
...@@ -32,7 +32,7 @@ class SQLParserUtils ...@@ -32,7 +32,7 @@ class SQLParserUtils
const NAMED_TOKEN = '(?<!:):[a-zA-Z_][a-zA-Z0-9_]*'; const NAMED_TOKEN = '(?<!:):[a-zA-Z_][a-zA-Z0-9_]*';
// Quote characters within string literals can be preceded by a backslash. // Quote characters within string literals can be preceded by a backslash.
const ESCAPED_SINGLE_QUOTED_TEXT = "'(?:[^'\\\\]|\\\\'?)*'"; const ESCAPED_SINGLE_QUOTED_TEXT = "'(?:[^'\\\\]|\\\\'?|'')*'";
const ESCAPED_DOUBLE_QUOTED_TEXT = '"(?:[^"\\\\]|\\\\"?)*"'; const ESCAPED_DOUBLE_QUOTED_TEXT = '"(?:[^"\\\\]|\\\\"?)*"';
const ESCAPED_BACKTICK_QUOTED_TEXT = '`(?:[^`\\\\]|\\\\`?)*`'; const ESCAPED_BACKTICK_QUOTED_TEXT = '`(?:[^`\\\\]|\\\\`?)*`';
const ESCAPED_BRACKET_QUOTED_TEXT = '\[(?:[^\]])*\]'; const ESCAPED_BRACKET_QUOTED_TEXT = '\[(?:[^\]])*\]';
......
tests/Doctrine/Tests/DBAL/SQLParserUtilsTest.php
View file @ a2701b52
...@@ -53,6 +53,19 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase ...@@ -53,6 +53,19 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase
array('SELECT foo::date as date FROM Foo WHERE bar > :start_date AND baz > :start_date', false, array(46 => 'start_date', 68 => 'start_date')), // Ticket GH-259 array('SELECT foo::date as date FROM Foo WHERE bar > :start_date AND baz > :start_date', false, array(46 => 'start_date', 68 => 'start_date')), // Ticket GH-259
array('SELECT `d.ns:col_name` FROM my_table d WHERE `d.date` >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552 array('SELECT `d.ns:col_name` FROM my_table d WHERE `d.date` >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552
array('SELECT [d.ns:col_name] FROM my_table d WHERE [d.date] >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552 array('SELECT [d.ns:col_name] FROM my_table d WHERE [d.date] >= :param1', false, array(57 => 'param1')), // Ticket DBAL-552
array(
<<<'SQLDATA'
SELECT * FROM foo WHERE
bar = ':not_a_param1 ''":not_a_param2"'''
OR bar=:a_param1
OR bar=:a_param2||':not_a_param3'
OR bar=':not_a_param4 '':not_a_param5'' :not_a_param6'
OR bar=''
OR bar=:a_param3
SQLDATA
, false, array(74 => 'a_param1', 91 => 'a_param2', 190 => 'a_param3')
),
); );
} }
...@@ -334,6 +347,15 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase ...@@ -334,6 +347,15 @@ class SQLParserUtilsTest extends \Doctrine\Tests\DbalTestCase
array(1, null), array(1, null),
array(\PDO::PARAM_INT, \PDO::PARAM_NULL) array(\PDO::PARAM_INT, \PDO::PARAM_NULL)
), ),
// DBAL-1205 - Escaped single quotes SQL- and C-Style
array(
"SELECT * FROM Foo WHERE foo = :foo||''':not_a_param''\\'' OR bar = ''':not_a_param''\\'':bar",
array(':foo' => 1, ':bar' => 2),
array(':foo' => \PDO::PARAM_INT, 'bar' => \PDO::PARAM_INT),
'SELECT * FROM Foo WHERE foo = ?||\'\'\':not_a_param\'\'\\\'\' OR bar = \'\'\':not_a_param\'\'\\\'\'?',
array(1, 2),
array(\PDO::PARAM_INT, \PDO::PARAM_INT)
),
); );
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment