quote characters used directly in a query #32
Conversation
| @@ -385,6 +385,7 @@ protected function findBy($entityClass, $searchQuery, array $searchableFields, $ | |||
| ; | |||
|
|
|||
| foreach ($searchableFields as $name => $metadata) { | |||
| $searchQuery = $this->getDoctrine()->getConnection()->quote($searchQuery); | |||
There was a problem hiding this comment.
I have two comments about this change:
- This line should be moved outside the
foreachloop to not repeat it for each field. - I don't think that calling the
quote()method is the right thing to do here. I've made some tests:
| What the user typed in the search box | The result of quote() |
The expected result |
|---|---|---|
foo' |
'foo\'' |
foo\' |
%foo% |
'%foo%' |
\%foo\% |
Keep in mind that the query is wrapped like this to do the full-text search: '%'.$searchQuery.'%' This means that it cannot be quoted, we just have to escape the special chars in the context of the LIKE query.
There was a problem hiding this comment.
Indeed, you're right.
There was a problem hiding this comment.
Does adding $searchQuery = trim($searchQuery, "'"); seems a bad practice ?
There was a problem hiding this comment.
I think that's not a good idea because we then relied on implementation specific behaviour.
There was a problem hiding this comment.
According to issue #26 the best solution might seem this one:
$wildcards = $this->getDoctrine()->getConnection()->getDatabasePlatform()->getWildcards();
if (!count($wildcards)) {
$wildcards = array('%','_');
}
$wildcards = implode('', $wildcards);
$searchQuery = addcslashes($searchQuery,$wildcards);There was a problem hiding this comment.
I updated the code.
|
Thank you Christian! I appreciate the time you took to solve this PR and do all the asked code changes. |
This fixes #26.