[TASK] Properly encode database input in Typo3DbQueryParser 16/44016/3
authorHelmut Hummel <helmut.hummel@typo3.org>
Mon, 12 Oct 2015 16:35:22 +0000 (18:35 +0200)
committerNicole Cordes <typo3@cordes.co>
Mon, 12 Oct 2015 18:56:19 +0000 (20:56 +0200)
Resolves: #70632
Releases: 6.2, master
Change-Id: I3ecbc2dd887789866512d4fc4aa7d0913b49fd0d
Reviewed-on: http://review.typo3.org/44016
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/extbase/Classes/Persistence/Generic/Storage/Typo3DbQueryParser.php
typo3/sysext/extbase/Tests/Unit/Persistence/Generic/Storage/Typo3DbQueryParserTest.php

index 9ff7f59..023285a 100644 (file)
@@ -782,7 +782,7 @@ class Typo3DbQueryParser implements \TYPO3\CMS\Core\SingletonInterface
                 default:
                     return '';
             }
-            $pageIdStatement = $tableAlias . '.pid IN (' . implode(', ', $storagePageIds) . ')';
+            $pageIdStatement = $tableAlias . '.pid IN (' . implode(',', $this->databaseHandle->cleanIntArray($storagePageIds)) . ')';
         }
         return $pageIdStatement;
     }
index 8204703..d92bb00 100644 (file)
@@ -13,6 +13,9 @@ namespace TYPO3\CMS\Extbase\Tests\Unit\Persistence\Generic\Storage;
  *
  * The TYPO3 project - inspiring people to share!
  */
+use Prophecy\Argument;
+use TYPO3\CMS\Core\Database\DatabaseConnection;
+
 class Typo3DbQueryParserTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
 {
     /**
@@ -359,12 +362,12 @@ class Typo3DbQueryParserTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
             'set Pid to given Pids if rootLevel = 0' => array(
                 '0',
                 $table,
-                $table . '.pid IN (42, 27)'
+                $table . '.pid IN (42,27)'
             ),
             'add 0 to given Pids if rootLevel = -1' => array(
                 '-1',
                 $table,
-                $table . '.pid IN (42, 27, 0)'
+                $table . '.pid IN (42,27,0)'
             ),
             'set Pid to zero if rootLevel = -1 and no further pids given' => array(
                 '-1',
@@ -391,6 +394,9 @@ class Typo3DbQueryParserTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
         );
         $mockTypo3DbQueryParser = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Persistence\Generic\Storage\Typo3DbQueryParser::class, array('dummy'), array(), '', false);
         $mockFrontendVariableCache = $this->getMock(\TYPO3\CMS\Core\Cache\Frontend\VariableFrontend::class, array(), array(), '', false);
+        $mockDatabaseHandle = $this->prophesize(DatabaseConnection::class);
+        $mockDatabaseHandle->cleanIntArray(Argument::cetera())->willReturnArgument(0);
+        $mockTypo3DbQueryParser->_set('databaseHandle', $mockDatabaseHandle->reveal());
         $mockTypo3DbQueryParser->_set('tableColumnCache', $mockFrontendVariableCache);
         $mockFrontendVariableCache->expects($this->once())->method('get')->will($this->returnValue(array('pid' => '42')));
         $sql = $mockTypo3DbQueryParser->_callRef('getPageIdStatement', $table, $table, $storagePageIds);