[BUGFIX] DBAL: Fix quoting of single quotes in WHERE values for MSSQL 03/42803/3
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 21 Aug 2015 08:42:47 +0000 (10:42 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Wed, 9 Sep 2015 10:11:44 +0000 (12:11 +0200)
MSSQL escapes single quotes in values by doubling them. When parsing the
WHERE clause DBAL removed the escaping without performing the required
escaping of the values when compiling the query. This is fixed by adding
a special handling of MSSQL in _quoteWhereClause().

Resolves: #27760
Releases: master, 6.2
Change-Id: I9b8f4fa6ab6e47bd44e6998ee3a492468713cbf0
Reviewed-on: http://review.typo3.org/42803
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Tizian Schmidlin <st@cabag.ch>
Tested-by: Tizian Schmidlin <st@cabag.ch>
Reviewed-by: Xavier Perseguers <xavier@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/dbal/Classes/Database/DatabaseConnection.php
typo3/sysext/dbal/Tests/Unit/Database/DatabaseConnectionMssqlTest.php

index 51ec6ae..224de91 100644 (file)
@@ -1799,9 +1799,7 @@ class DatabaseConnection extends \TYPO3\CMS\Core\Database\DatabaseConnection {
                                        }
                                } else {
                                        // Detecting value type; list or plain:
-                                       if (GeneralUtility::inList('NOTIN,IN', strtoupper(str_replace(array(' ', '
-', '
-', '   '), '', $where_clause[$k]['comparator'])))) {
+                                       if (GeneralUtility::inList('NOTIN,IN', strtoupper(str_replace(array(' ', LF, CR, TAB), '', $where_clause[$k]['comparator'])))) {
                                                if (isset($v['subquery'])) {
                                                        $where_clause[$k]['subquery'] = $this->quoteSELECTsubquery($v['subquery']);
                                                }
@@ -1811,6 +1809,8 @@ class DatabaseConnection extends \TYPO3\CMS\Core\Database\DatabaseConnection {
                                                        && is_string($where_clause[$k]['value'][0]) && strstr($where_clause[$k]['value'][0], '.')
                                                ) {
                                                        $where_clause[$k]['value'][0] = $this->quoteFieldNames($where_clause[$k]['value'][0]);
+                                               } elseif ($this->runningADOdbDriver('mssql')) {
+                                                       $where_clause[$k]['value'][0] = substr($this->handlerInstance[$this->lastHandlerKey]->qstr($where_clause[$k]['value'][0]), 1, -1);
                                                }
                                        }
                                }
index 02f803a..a249fed 100644 (file)
@@ -174,4 +174,20 @@ class DatabaseConnectionMssqlTest extends AbstractTestCase {
                $this->assertEquals($expected, $this->cleanSql($result));
        }
 
-}
\ No newline at end of file
+       /**
+        * @test
+        * @see http://forge.typo3.org/issues/27760
+        */
+       public function singleQuotesAreProperlyEscaped() {
+               $result = $this->subject->SELECTquery(
+                       'ISEC.phash',
+                       'index_section ISEC, index_fulltext IFT',
+                       'IFT.fulltextdata LIKE \'%' . $this->subject->quoteStr("Don't worry", 'index_fulltext')
+                       . '%\' AND ISEC.phash = IFT.phash',
+                       'ISEC.phash'
+               );
+               $expected = 'SELECT "ISEC"."phash" FROM "index_section" "ISEC", "index_fulltext" "IFT" WHERE "IFT"."fulltextdata" LIKE \'%Don\'\'t worry%\' AND "ISEC"."phash" = "IFT"."phash" GROUP BY "ISEC"."phash"';
+               $this->assertEquals($expected, $this->cleanSql($result));
+       }
+
+}