search

cycle / database

Database Abstraction Layer, Schema Introspection, Schema Generation, Query Builders
MIT License
53 stars 22 forks source link

🐛 Incorrect insertion of FragmentInterface parameters in direct database queries #168

Open iGrog opened 3 months ago

iGrog commented 3 months ago

No duplicates 🥲.

Database

MySQL

What happened?

        $orderGuids = [Guid::generate()]; // Guid implements FragmentInterface

        $sql = <<<SQL
SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
FROM shipments
WHERE OrderGuid IN (?)
GROUP BY ProductGuid, ShipmentGuid, OrderGuid
SQL;

        $result = $this->database->query($sql, $orderGuids)->fetchAll();

expected query:

    SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
    FROM shipments
    WHERE OrderGuid IN (UUID_TO_BIN('018a02d9-ae58-bd7d-db14-400350da139f'))
    GROUP BY ProductGuid, ShipmentGuid, OrderGuid

actual query: (UUID_TO_BIN is missing)

    SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
    FROM shipments
    WHERE OrderGuid IN ('018a02d9-ae58-bd7d-db14-400350da139f')
    GROUP BY ProductGuid, ShipmentGuid, OrderGuid

Version

database 2.8.1
PHP 8.3
roxblnfk commented 3 months ago

It's impossible to send value plus function instead of just value in a prepared statement