[!!!][BUGFIX] Fix boolean noQuote option in DatabaseConnection::fullQuoteArray 17/46017/3
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Sat, 16 Jan 2016 15:15:52 +0000 (16:15 +0100)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Sat, 16 Jan 2016 16:00:24 +0000 (17:00 +0100)
The api for fullQuoteArray allows the parameter $noQuote to be boolean.
This patch corrects the handling of the case when true is being passed
as value for $noQuote.

Resolves: #71458
Releases: master
Change-Id: I332934a471b1e8d7310272bcc2164a375104cb07
Reviewed-on: https://review.typo3.org/46017
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
typo3/sysext/core/Classes/Database/DatabaseConnection.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-71458-FullQuoteArrayCantHandleBooleanValuesForNoQuote.rst [new file with mode: 0644]
typo3/sysext/core/Tests/Unit/Database/DatabaseConnectionTest.php

index 16f2f07..4b799fd 100644 (file)
@@ -871,7 +871,7 @@ class DatabaseConnection
      *
      * @param array $arr Array with values (either associative or non-associative array)
      * @param string $table Table name for which to quote
-     * @param bool|array $noQuote List/array of keys NOT to quote (eg. SQL functions) - ONLY for associative arrays
+     * @param bool|array|string $noQuote List/array of keys NOT to quote (eg. SQL functions) - ONLY for associative arrays
      * @param bool $allowNull Whether to allow NULL values
      * @return array The input array with the values quoted
      * @see cleanIntArray()
@@ -881,10 +881,12 @@ class DatabaseConnection
         if (is_string($noQuote)) {
             $noQuote = explode(',', $noQuote);
         } elseif (!is_array($noQuote)) {
-            $noQuote = false;
+            $noQuote = (bool)$noQuote;
         }
         foreach ($arr as $k => $v) {
-            if ($noQuote === false || !in_array($k, $noQuote)) {
+            if ($noQuote === true) {
+                continue;
+            } elseif ($noQuote === false || !in_array($k, $noQuote)) {
                 $arr[$k] = $this->fullQuoteStr($v, $table, $allowNull);
             }
         }
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-71458-FullQuoteArrayCantHandleBooleanValuesForNoQuote.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-71458-FullQuoteArrayCantHandleBooleanValuesForNoQuote.rst
new file mode 100644 (file)
index 0000000..a2d3a2a
--- /dev/null
@@ -0,0 +1,32 @@
+==========================================================================
+Breaking: #71458 - FullQuoteArray can't handle boolean values for $noQuote
+==========================================================================
+
+Description
+===========
+
+The API for fullQuoteArray allows the parameter $noQuote to be boolean but
+converted it automatically to false as $noQuote is neither a string nor an
+array. This behavior has been fixed, passing true for $noQuote now disables
+quoting of any passed in values.
+
+
+Impact
+======
+
+Passing in boolean true results in escaping being disabled for all values.
+
+
+Affected Installations
+======================
+
+All installations making use of *INSERTmultipleRows(), *INSERTquery(),
+*UPDATEquery() or fullQuoteArray() and relying on the fact that quoting
+remains enabled when true is passed as value for $noQuote.
+
+
+Migration
+=========
+
+Pass the correct list of fields to disable quoting for unless none of the
+fields should be quoted.
index ae6bae6..dbc32a0 100644 (file)
@@ -387,4 +387,62 @@ class DatabaseConnectionTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
         $expected = 'SELECT * FROM sys_category,sys_category_record_mm,tt_content WHERE sys_category.uid=sys_category_record_mm.uid_local AND tt_content.uid=sys_category_record_mm.uid_foreign AND sys_category.uid = 1 ORDER BY sys_category.title DESC';
         $this->assertEquals($expected, $result);
     }
+
+    /**
+     * Data provider for searchQueryCreatesQuery
+     *
+     * @return array
+     */
+    public function noQuoteForFullQuoteArrayDataProvider()
+    {
+        return array(
+            'noQuote boolean false' => array(
+                array('aField' => 'aValue', 'anotherField' => 'anotherValue'),
+                array('aField' => '\'aValue\'', 'anotherField' => '\'anotherValue\''),
+                false
+            ),
+            'noQuote boolean true' => array(
+                array('aField' => 'aValue', 'anotherField' => 'anotherValue'),
+                array('aField' => 'aValue', 'anotherField' => 'anotherValue'),
+                true
+            ),
+            'noQuote list of fields' => array(
+                array('aField' => 'aValue', 'anotherField' => 'anotherValue'),
+                array('aField' => '\'aValue\'', 'anotherField' => 'anotherValue'),
+                'anotherField'
+            ),
+            'noQuote array of fields' => array(
+                array('aField' => 'aValue', 'anotherField' => 'anotherValue'),
+                array('aField' => 'aValue', 'anotherField' => '\'anotherValue\''),
+                array('aField')
+            ),
+        );
+    }
+
+    /**
+     * @test
+     * @param array $input
+     * @param array $expected
+     * @param bool|array|string $noQuote
+     * @dataProvider noQuoteForFullQuoteArrayDataProvider
+     */
+    public function noQuoteForFullQuoteArray(array $input, array $expected, $noQuote)
+    {
+        /** @var \TYPO3\CMS\Core\Database\DatabaseConnection|\PHPUnit_Framework_MockObject_MockObject|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface $subject */
+        $subject = $this->getAccessibleMock(
+            \TYPO3\CMS\Core\Database\DatabaseConnection::class,
+            array('fullQuoteStr'),
+            array(),
+            '',
+            false
+        );
+        $subject->_set('isConnected', true);
+        $subject
+            ->expects($this->any())
+            ->method('fullQuoteStr')
+            ->will($this->returnCallback(function ($data) {
+                return '\'' . (string)$data . '\'';
+            }));
+        $this->assertSame($expected, $subject->fullQuoteArray($input, 'aTable', $noQuote));
+    }
 }