Merge pull request #224 from phpcr/escape-single-quotes

dbu · web-flow · commit df25fdac3147 · 2024-01-12T14:50:45.000+01:00
escape single quotes in sql generator
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,13 @@ Changelog
 2.x
 ---
 
+2.0.1
+-----
+
+* The SQL generator now escapes single quotes `'`. This avoids SQL injection risks. If you escaped
+  strings manually (by duplicating the `'`) you will need to stop doing that as otherwise the query
+  will be run with duplicated single quotes.
+
 2.0.0
 -----
 
diff --git a/src/PHPCR/Util/QOM/BaseSqlGenerator.php b/src/PHPCR/Util/QOM/BaseSqlGenerator.php
@@ -214,7 +214,7 @@ public function evalLiteral(mixed $literal): string
             return $this->evalCastLiteral($string, 'DOUBLE');
         }
 
-        return "'$literal'";
+        return sprintf("'%s'", str_replace("'", "''", $literal));
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ public function evalLiteral(mixed $literal): string`
`214`	`214`	`return $this->evalCastLiteral($string, 'DOUBLE');`
`215`	`215`	`}`
`216`	`216`
`217`		`- return "'$literal'";`
	`217`	`+ return sprintf("'%s'", str_replace("'", "''", $literal));`
`218`	`218`	`}`
`219`	`219`
`220`	`220`	`/**`