[11.x] Fix resource not escaped correctly in substituteBindingsIntoRawSql() #53100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When bindings contain a resource (e.g. file resource), then it is not escaped correctly. Additionally, the gettype() call is to ensure that a closed resource is also escaped correctly. The latter is an edge-case scenario, which can be encountered in situations when a file handler has already been closed, and one attempts to log the executed query, e.g. via using barryvdh/laravel-debugbar.
timacdonald
pushed a commit
to timacdonald/framework
that referenced
this pull request
Oct 15, 2024
When bindings contain a resource (e.g. file resource), then it is not escaped correctly. Additionally, the gettype() call is to ensure that a closed resource is also escaped correctly. The latter is an edge-case scenario, which can be encountered in situations when a file handler has already been closed, and one attempts to log the executed query, e.g. via using barryvdh/laravel-debugbar.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have encountered a small bug, inside
Grammar::substituteBindingsIntoRawSql(). When$bindingscontain a resource (e.g. file resource), then it is not escaped correctly. Furthermore, in an edge-case, when a resource is already closed, then that too leads to a PHPTypeErrorbeing thrown. This PR fixes that issue.Additional Information
The reason why I came across this, was when using barryvdh/laravel-debugbar to log executed queries. In my situation, a small file (resource) was successfully written to the database, and its resource handler was closed. However, when the debugbar attempted to log the executed query, it failed and yielded the following
TypeError:I have reviewed the source code of laravel debugbar, but it seems that
substituteBindingsIntoRawSql()might be the more appropriate place to fix this issue.