[2.x] Escape single-quotes from SOQLConnection #107
+2
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey @roblesterjr04! 👋 Sorry to bother, just wanted to see if you had a chance to check this out. Any thoughts/feedback? |
|
Hi Casey, i just haven't had time to review it in depth. Have you run the unit tests on your machine? |
|
I've meet a problem which I think can be solved by this. I need to query some data and filter using this value I overcome it with the following code
|
danielpetrica
suggested changes
Sep 24, 2024
| @@ -155,6 +155,8 @@ public function prepareBindings(array $bindings) | |||
| $bindings[$key] = $value->format($grammar->getDateFormat()); | |||
| } else if (is_bool($value)) { | |||
| $bindings[$key] = $value ? 'TRUE' : 'FALSE'; | |||
| } else if (is_string($value) { | |||
There was a problem hiding this comment.
There is a missing ) here. it should be } else if (is_string($value)) {
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@roblesterjr04 revisiting this bit from #95 tonight, and I'm pretty sure #96 doesn't actually solve the underlying problem.
I've continued to get SOQL errors related to unescaped quotes. As far as I can tell, the
toSqlmethod inside ofSOQLBuilder.phpnever actually gets called, at least not onSELECTqueries. Eg, you can chuck add('won't ever show');into the top of that method, hit a page or endpoint that calls a select query, and it will go through without dumping. This might be anecdotal, but at least on simple tests I ran, it's never getting called.I think what's happening with that
SOQLBuilderclass, is that it's intending to override thetoSqlmethod from its parent...butSOQLBuilderextends the Eloquent Builder, not the Query Builder, and thattoSqlmethod exists on the latter. It therefore never gets called on the former, which means theSOQLBuilder's override never gets called either. This is handled via the$passthruproperty from the Eloquent Builder, which (via thetoBase()method) hands off calls liketoSqldown to the Query Builder.Definitely wouldn't put money on this, but I suspect you could delete that entire
toSqlmethod fromSOQLBuilder, and nothing would break, as I just don't think it gets called anywhere (except maybe inSOQLBatch).Will defer to you on any changes to that class, though—this PR doesn't touch it.
So TL;DR - this PR essentially takes the patch in #96, and relocates it to the
SOQLConnection->prepareBindings()method with anis_stringcheck, where it actually gets called & applied.I would definitely give this all a thorough review, though, as I think there might be some security considerations with how
'and similar characters are able to be passed in? Dunno, that's not my forte, so I defer to your expertise. 🙂 That said, let me know if there's anything you'd like to see modified with this PR; happy to help where I can.