DDC-2748 DQL expression "in" not working with Collection #822
Conversation
|
Hello, thank you for creating this pull request. I have automatically opened an issue http://www.doctrine-project.org/jira/browse/DDC-2750 We use Jira to track the state of pull requests and the versions they got |
| @@ -442,6 +444,9 @@ public function sqrt($x) | |||
| */ | |||
| public function in($x, $y) | |||
| { | |||
| if ($y instanceof Collection) { | |||
There was a problem hiding this comment.
What happens if somebody implements the collection interface on an entity?
There was a problem hiding this comment.
While I agree on your remark, I don't see why today in() accepts objects or entities... IMO, in() means "in an array" (or Collection of course) period.
Take any array function ever in the whole history (up to the dinosaurs), it is normal behavior to accept only arrays as input and not have a weird "fallback" mechanism when the input is "invalid".
There was a problem hiding this comment.
(I've never heard of a dinosaur calling a function expecting an array and giving it an object, yet I'm not an archaeologist)
|
In any case, you should not pass a collection to IN because it will put the values directly in the DQL, thus allowing DQL injection (and having a different DQL for each combination of values, thus bypassing the query cache). You should be using a DQL parameter for the collection |
|
@stof Right, I don't know why I thought the expression builder would automatically add the values as parameters to the query :/ This PR is wrong, I'm closing it |
Fix + tests for DDC-2748