search

mavinoo / laravelBatch

insert batch and update batch in laravel
MIT License
564 stars 118 forks source link

creates invalid query with quotes in json #71

Open christophmayrhofer opened 3 years ago

christophmayrhofer commented 3 years ago

mysql requires \\ to escape " in a query

the correct query should be:

UPDATE `test_rows`
SET `test_column` = '{"name":"some \\"quoted\\" word"}' 
WHERE `id` = 1;

but running this:

$data = [
 "name" => 'some "quoted" word'
];

$updates= [[
'id' => 1,
'test_column' => json_encode($data)
]];

batch()->update(new TestRow(), $updates, 'id');

results in this (invalid) query:

UPDATE `test_rows`
SET `test_column` = '{"name":"some \"quoted\" word"}' 
WHERE `id` = 1;

Another concern: The code uses string concatenation to create the when then query. Isn't this a risk for SQL injections? Why doesn't it a parameterized query?

anchetaWern commented 2 years ago

I'm also having the same problem. Was trying to insert the following:

{"type":"NAIL_POLISH","size":"8 ml (Pack of 25)","color":"Ladies' day","productGroup":"Beauty","itemLength":225,"itemWidth":143,"part_type":"LMPL-SET"}

The single quote in the Ladies' day is causing a problem but when I tried it using usual means it worked:

$array = [
        'type' => 'NAIL_POLISH',
        'size' => '8 ml (Pack of 25)',
        'color' => "Ladies' day",
        'productGroup' => 'Beauty',
        'itemLength' => '225',
        'itemWidth' => '143',
        'part_type' => 'LMPL-SET',
];

$str = json_encode($array);
DB::table('test_table')
        ->insert([
            'json_str' => $str,
        ]);
return 'ok';

This really needs fixing.

zqh375 commented 1 year ago

image caused by here