Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented proper escaping of string literals in platforms and schema managers #3317

Merged
merged 1 commit into from
Oct 7, 2018

Conversation

morozov
Copy link
Member

@morozov morozov commented Oct 6, 2018

Q A
Type improvement
BC Break no
Fixed issues none

Some SQL queries used internally in DBAL wrap string literals in quotes w/o doing proper escaping. While it doubtfully can be considered a security issue on its own, it still makes sense to fix them at least in order to set a proper example of writing SQL queries.

Copy link
Member

@Ocramius Ocramius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Ocramius Ocramius merged commit 94ba9d7 into doctrine:master Oct 7, 2018
@Majkl578
Copy link
Contributor

Majkl578 commented Oct 7, 2018

WIP? 😁

@Ocramius Ocramius removed the WIP label Oct 7, 2018
@morozov
Copy link
Member Author

morozov commented Oct 7, 2018

@Majkl578 It was actually done, I wanted to run all tests first. Thanks, @Ocramius.

@morozov morozov deleted the platforms-literal-escaping branch October 7, 2018 18:13
rgrellmann added a commit to Rossmann-IT/dbal that referenced this pull request Apr 22, 2020
Release v2.9.0

This is a minor release of Doctrine DBAL that aggregates over 40 fixes and improvements developed by 18 contributors over the last 5 months.

This release includes all changes of the 2.8.x series, as well as feature additions and improvements that couldn't land in patch releases.

## Backwards Compatibility Breaks

This doesn't contain any intentional Backwards Compatibility (BC) breaks.

## Deprecations

* The usage of `NULL` to specify the absence of an offset in `LIMIT`ed queries is deprecated. Use `0` instead.
* It's not recommended to rely on the default length specified by implementations of `Type`. These values are not used by the library and will be removed.
* It's not recommended to rely on the string representation of `Type` objects.
* Regular-expression based asset filters are deprecated in favor of callback-based as more extensible.
* Calling `Statement::fetchColumn()` with an invalid column index is deprecated.
* The `dbal:import` CLI command is deprecated. Please use other database client applications for import.

Please see details in the [UPGRADE.md](UPGRADE.md) documentation.

## New Features

* Added support for MariaDB 10.3.
* Added support for Windows authentication for SQL Server.
* Added support for column length in index definitions on MySQL.

## Improvements and Fixes

* Implemented handling BLOB objects represented as streams in the MySQL (`mysqli`) driver.
* Implemented handling BLOB objects represented as streams in the IDM DB2 driver.
* DBAL is now continuously tested with the PDO driver for Oracle.
* Implemented handling of URLs in master-slave and pooling-shard connection configuration.
* The codebase is now fully compatible with the Doctrine Coding Standard v5.0.

Total issues resolved: **45**

**Deprecations:**

- [3244: Deprecated dbal:import CLI command](doctrine#3244) thanks to @morozov
- [3253: Deprecated usage of the NULL offset in LIMITed queries](doctrine#3253) thanks to @morozov
- [3256: Deprecate Doctrine\DBAL\Types\Type::getDefaultLength()](doctrine#3256) thanks to @Majkl578
- [3258: Deprecate Doctrine\DBAL\Types\Type::&doctrine#95;&doctrine#95;toString()](doctrine#3258) thanks to @Majkl578
- [3316: Deprecated regex-based asset filters](doctrine#3316) thanks to @morozov
- [3359: Removed DataAccessTest::testFetchColumnNonExistingIndex() since it covers a bug in PDO](doctrine#3359) thanks to @morozov

**New Features:**

- [2412: Add mysql specific indexes with lengths](doctrine#2412) thanks to @bburnichon
- [3278: Add support for MariaDB 10.3](doctrine#3278) thanks to @javiereguiluz
- [3283: MariaDB improvements, support 10.3](doctrine#3283) thanks to @sidz
- [3333: Allow windows (userless/passwordless) authentication for SQL Server](doctrine#3333) thanks to @odinsey

**Bug Fixes:**

- [3355: Implemented comparison of default values as strings regardless of their PHP types](doctrine#3355) thanks to @morozov and @Majkl578

**Improvements:**

- [3201: Fix support for URL to account for master-slave and pooling-shard connections](doctrine#3201) thanks to @stof
- [3217: Fix that MysqliStatement cannot handle streams](doctrine#3217) thanks to @mpdude
- [3235: Use PSR-4 autoloader](doctrine#3235) thanks to @Majkl578
- [3254: Throw ConversionException when unserialization fail for array and object types](doctrine#3254) thanks to @seferov
- [3259: Update export ignores](doctrine#3259) thanks to @Majkl578
- [3309: Implemented handling BLOBs represented as stream resources for IBM DB2](doctrine#3309) thanks to @morozov and @mpdude
- [3331: Fetch all should use the driver statement's fetchAll method](doctrine#3331) thanks to @michaelcullum

**Documentation Improvements:**

- [3223: GitHub template grammar/spelling fixes](doctrine#3223) thanks to @GawainLynch
- [3232: Removed NOW() from QueryBuilder usage examples](doctrine#3232) thanks to @morozov
- [3239: 2.8 in README & branch alias to 2.9](doctrine#3239) thanks to @Majkl578
- [3269: Fixed type hints in DockBlocks](doctrine#3269) thanks to @marforon
- [3275: Add .doctrine-project.json to root of the project.](doctrine#3275) thanks to @jwage
- [3276: Update homepage](doctrine#3276) thanks to @Majkl578
- [3280: Use behaviuor instead of  behavior](doctrine#3280) thanks to @BackEndTea
- [3285: Remove old comment from MysqliStatement](doctrine#3285) thanks to @mpdude
- [3318: Removed link to www.doctrine-project.org from doc blocks](doctrine#3318) thanks to @morozov
- [3319: remove ClassLoader](doctrine#3319) thanks to @garak
- [3337: Fix of links in documentation](doctrine#3337) thanks to @SenseException
- [3350: Remove pdo&doctrine#95;sqlsrv from known vendor issues list](doctrine#3350) thanks to @ostrolucky
- [3357: Fix typo](doctrine#3357) thanks to @BenMorel
- [3370: Removed 2.7 from README](doctrine#3370) thanks to @morozov

**Code Quality Improvements:**

- [3252: Replaced call&doctrine#95;user&doctrine#95;func&doctrine#95;array() of a fixed method with the usage of variadic arguments](doctrine#3252) thanks to @morozov
- [3306: Fixed coding standard violations in the codebase](doctrine#3306) thanks to @morozov
- [3303: Updated doctrine/coding-standard to 5.0, ](doctrine#3303) thanks to @morozov
- [3317: Implemented proper escaping of string literals in platforms and schema managers](doctrine#3317) thanks to @morozov
- [3363: Remove redundant implements](doctrine#3363) thanks to @BenMorel

**Continuous Integration Improvements:**

- [3307: Test against the latest stable sqlsrv extension](doctrine#3307) thanks to @morozov
- [3320: Trying to fix failing DB builds](doctrine#3320) thanks to @morozov
- [3325: Updated PHPUnit to 7.4](doctrine#3325) thanks to @morozov
- [3339: ContinuousPHP configuration for PDO Oracle driver](doctrine#3339) thanks to @morozov
- [3365: Reorganize Travis build matrix](doctrine#3365) thanks to @BenMorel

# gpg: Signature made Tue Dec  4 05:44:06 2018
# gpg:                using RSA key 374EADAF543AE995
# gpg: Can't check signature: public key not found

# Conflicts:
#	README.md
#	lib/Doctrine/DBAL/Driver/AbstractOracleDriver.php
#	lib/Doctrine/DBAL/Version.php
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants