Doctrine is not Auto-Escaping Columns

[alexgurrola]

We have an entity with the column 'limit', but this is a reserved keyword in MySQL. Logically, Doctrine ORM should be Auto-Escaping these Columns, but it's stuck in this ideology that we must escape them in the Column name.

An exception occurred while executing 'INSERT INTO content_stream (pagingType, limit, enableSearch, siteId, vendorId, time, timeEdit, timeStatus, status, userId, editUserId, viewVersionId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' with params ["pager", null, 0, 13, null, 1465943902, 1465943902, null, 1, 4, 4, 38064]:

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit, enableSearch, siteId, vendorId, time, timeEdit, timeStatus, status, userI' at line 1

According to Issue #2409, we tried the following workaround.

@Column(name="`limit`")

This does work for our current situation, but this is a very fragile train of logic and Doctrine ORM should be providing this level of safety, regardless of whether it is a reserved keyword or not.

[phansys]

See #2409.

[Ocramius]

This is a well known limitation documented at http://doctrine-orm.readthedocs.io/projects/doctrine-orm/en/latest/reference/limitations-and-known-issues.html#identifier-quoting-and-legacy-databases

We will change this for Doctrine 3.x, but for 2.x, auto-quoting of identifiers is a no-go, mostly because of case sensitivity issues.

Please note that this doesn't cause security issues per se, as mappings are not user input, but static application information.

[alexgurrola]

@Ocramius Understood. Since this is the case, is there a way to check out Doctrine 3.x? All of my searching has turned up null.

[Ocramius]

Check the develop branch

[Ocramius]

@richRemer you know that we still get email notifications, even if you delete messages, right?

[richRemer]

I assumed so. I deleted it because I realized I misunderstood your Doctrine Beta 3 release notes from 2010 to be Doctrine 3 Beta. Leaving it up there served no purpose. The new release could really use some SEO. I could not find any roadmap for release, so the promise for a fix in v3 is not useful.

…

On Oct 19, 2017 8:31 AM, "Marco Pivetta" ***@***.***> wrote: @richRemer <https://github.com/richremer> you know that we still get email notifications, even if you delete messages, right? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5874 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABrlGbIKFLzjzDUza50sp_7fQDkOUCEGks5st2tMgaJpZM4I12PU> .

[acataluddi]

This is a well known limitation documented at http://doctrine-orm.readthedocs.io/projects/doctrine-orm/en/latest/reference/limitations-and-known-issues.html#identifier-quoting-and-legacy-databases

Hi, is there any way to escape reserved words in XML metatdata? Putting `reserved` works but breaks the XSD validation.

Thanks,
Adriano

[ToonSpinISAAC]

The documentation page mention seems to have been moved here.

[GitFoxDev]

Doctrine 3.1. The problem is relevant.