Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate inappropriate usage of prepared statement parameters #4411

Merged
merged 1 commit into from
Nov 5, 2020
Merged

Deprecate inappropriate usage of prepared statement parameters #4411

merged 1 commit into from
Nov 5, 2020

Conversation

morozov
Copy link
Member

@morozov morozov commented Nov 5, 2020
edited
Loading

Q A
Type deprecation
BC Break no

Summary

The current SQL parser implementation allows certain usages that are rather a side effects of the existing implementation than something that the implementation was purposefully designed for.

  1. The keys of positional parameters and their types can be anything and do not have to correspond to the positions of the placeholders in the statement. This is achieved by sorting them:

    dbal/lib/Doctrine/DBAL/SQLParserUtils.php

    Lines 152 to 153 in 99f9c7e

    ksort($params);
    ksort($types);
    and then discarding keys:

    dbal/lib/Doctrine/DBAL/SQLParserUtils.php

    Lines 177 to 178 in 99f9c7e

    $params = array_values($params);
    $types = array_values($types);
    And is even covered by a test:

    dbal/tests/Doctrine/Tests/DBAL/SQLParserUtilsTest.php

    Lines 313 to 333 in 99f9c7e

    'Positional starts from 1: One non-list before and one after list-needle' => [
    'SELECT * FROM Foo WHERE foo = ? AND bar IN (?) AND baz = ? AND foo IN (?)',
    [1 => 1, 2 => [1, 2, 3], 3 => 4, 4 => [5, 6]],
    [
    1 => ParameterType::INTEGER,
    2 => Connection::PARAM_INT_ARRAY,
    3 => ParameterType::INTEGER,
    4 => Connection::PARAM_INT_ARRAY,
    ],
    'SELECT * FROM Foo WHERE foo = ? AND bar IN (?, ?, ?) AND baz = ? AND foo IN (?, ?)',
    [1, 1, 2, 3, 4, 5, 6],
    [
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ParameterType::INTEGER,
    ],
    ],
  2. The parser allows omitting parameters.
  3. The parser allows mixing positional and named parameters in the same statement (this is currently forbidden by the documentation and wouldn't be a BC break):

    dbal/docs/en/reference/data-retrieval-and-manipulation.rst

    Line 95 in 99f9c7e

    a double-colon (:name1). You cannot mix the positional and the named approach. The approach

The behavior above should be deprecated in order to allow future rework of the parser w/o introducing breaking changes.

@morozov morozov added this to the 2.12.1 milestone Nov 5, 2020
@morozov morozov merged commit 3622d6d into doctrine:2.12.x Nov 5, 2020
@morozov morozov deleted the deprecate-parser-abuse branch November 5, 2020 15:26
@morozov morozov mentioned this pull request Nov 11, 2020
Closed
rgrellmann added a commit to Rossmann-IT/dbal that referenced this pull request Mar 7, 2021
@rgrellmann
Merge tag '2.12.1' into oracle122
42fbc70 
Release [2.12.1](https://github.com/doctrine/dbal/milestone/84)

2.12.1
======

- Total issues resolved: **2**
- Total pull requests resolved: **11**
- Total contributors: **7**

Documentation,Prepared Statements
---------------------------------

 - [4424: Mark SQLParserUtils internal](doctrine#4424) thanks to @morozov

Packaging
---------

 - [4416: Update .gitattributes](doctrine#4416) thanks to @bytestream

Bug,Cache
---------

 - [4414: ResultCacheStatement::fetchAllAssociative does not store results in cache](doctrine#4414) thanks to @morozov and @dFayet

Deprecation,Prepared Statements
-------------------------------

 - [4411: Deprecate inappropriate usage of prepared statement parameters](doctrine#4411) thanks to @morozov
 - [4407: Deprecate colon prefix for prepared statement parameters](doctrine#4407) thanks to @morozov

Static Analysis
---------------

 - [4403: Remove redundant phpstan param from DriverManager::getConnection()](doctrine#4403) thanks to @simPod

Bug,Locking,Transactions
------------------------

 - [4400: LockMode::NONE should not set WITH (NOLOCK)](doctrine#4400) thanks to @BenMorel

Code Style,PHP
--------------

 - [4398: Update PHP&doctrine#95;CodeSniffer to 3.5.8](doctrine#4398) thanks to @morozov

PDO,PHP,Test Suite
------------------

 - [4396: Fix php8 mysql mariadb](doctrine#4396) thanks to @greg0ire

Documentation
-------------

 - [4390: Fix headline in the upgrade docs](doctrine#4390) thanks to @jdreesen

Documentation,Testing
---------------------

 - [4356: Testing Guidelines](doctrine#4356) thanks to @morozov

# gpg: Signature made Sat Nov 14 21:50:01 2020
# gpg:                using DSA key 1BEDEE0A820BC30D858F9F0C2C3A645671828132
# gpg: Can't check signature: No public key

# Conflicts:
#	README.md
@morozov morozov mentioned this pull request Jul 20, 2022
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@greg0ire greg0ire greg0ire approved these changes

Assignees
No one assigned
Labels
Deprecation Prepared Statements
Projects
None yet
Milestone
2.12.1
Development

Successfully merging this pull request may close these issues.
2 participants
@morozov @greg0ire