Nette\Database weird auto escaping

nette / nette

👪 METAPACKAGE for Nette Framework components

https://nette.org

Other

1.54k stars 233 forks source link

Closed matopeto closed 10 years ago

matopeto commented 10 years ago

$source->where("DATE_FORMAT(`timestamp`, '%Y-%m') = ?", $value);

is translated to:

WHERE (DATE_FORMAT(`timestamp`, '%Y-%`m`') = ?)

(m is wrongly escaped)

But if I change quotes and double quotes:

$source->where('DATE_FORMAT(`timestamp`, "%Y-%m") = ?', $value);

output is correct

WHERE (DATE_FORMAT(`timestamp`, "%Y-%m") = ?)

Both wheres should generate correct (2nd) expression.

hrach commented 10 years ago

Well, you should use this

$source->where("DATE_FORMAT(`timestamp`, ?) = ?", '%Y-%m', $value);

it works with quotes only because it's column delimeter in postgre. This isses is tracked in #1112.

matopeto commented 10 years ago

Ok, but maybe it should by denied and throwing an exception.

matopeto commented 10 years ago

And how is correct way to escape strings in order? (Order method doesn't extra parameter to handles "?")

$source->order("FIELD(`state`, 'new', 'edited', 'deleted', 'public')")

is translated to:

ORDER BY FIELD(`state`, '`new`', '`edited`', '`deleted`', '`public`')

Of course, strings in double quotes works.

But I would like write someting like this:

$source->order('FIELD(`state`, ?, ?, ?, ?)', "new", "edited", "deleted", "public")

hrach commented 10 years ago

it should work...

$source->order('FIELD(`state`, ?, ?, ?, ?)', "new", "edited", "deleted", "public")

matopeto commented 10 years ago

Ok thanks, I see, in 2.1 :) but in nette 2.0.x it is not :)

hrach commented 10 years ago

yes :)