search

ikkez / f3-cortex

A multi-engine ORM / ODM for the PHP Fat-Free Framework
GNU General Public License v3.0
118 stars 22 forks source link

Escaping field names #21

Closed ekhaled closed 8 years ago

ekhaled commented 8 years ago

Hi, I have a table called order (don't ask... legacy DB structure :disappointed:) and a has-many relation called order_history;

when I try to cast the order object with reations: $model->cast(null, array('order_history' => 0));

I get the following error:

[...src/vendor/bcosca/fatfree-core/base.php:2032] Base->error(500,'PDOStatement: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order = 8' at line 1')
[...src/vendor/bcosca/fatfree-core/db/sql/mapper.php:276] DB\SQL->exec('SELECT `id`,`order`,`user`,`description`,`created`,`modified` FROM `order_history` WHERE order = ?',array(1=>8),0)
[...src/vendor/bcosca/fatfree-core/db/sql/mapper.php:318] DB\SQL\Mapper->select('`id`,`order`,`user`,`description`,`created`,`modified`',array('order = ?',8),array('group'=>NULL,'order'=>NULL,'limit'=>0,'offset'=>0),0)
[...src/vendor/ikkez/f3-cortex/lib/db/cortex.php:815] DB\SQL\Mapper->find(array('order = ?',8),NULL,0)
[/var/www/html/zanussi-boilers-api/src/vendor/ikkez/f3-cortex/lib/db/cortex.php:580] DB\Cortex->filteredFind(array('order = ?',8),NULL,0)
[...src/vendor/ikkez/f3-cortex/lib/db/cortex.php:1549] DB\Cortex->find(array('order = ?',8),NULL,0)
[...src/vendor/ikkez/f3-cortex/lib/db/cortex.php:1839] DB\Cortex->get('order_history')

I know it's because order is not being escaped. If you could direct me, I'm happy to send a pull request.

Is it enough to hardcode the escaping on line 580 (and other similar lines)?

I have checked and it works, but I don't know how it will affect other supported databases.

Thanks for the awesome ORM.

ikkez commented 8 years ago

Hi @ekhaled It was actually not that simple, because I had to extend the query parser and add a handful exceptions for not escaping sql functions and such. after re-aligning some parts, this new escaping feature should be ready to go. Just give it a try. If something goes wrong, you can disable that identifier escaping by setting CORTEX.quoteConditions = false in a config file.

ekhaled commented 8 years ago

This is working very well now, just tested