Skip to content
Permalink
Browse files

Merge pull request #28160 from brendt/escape-json-path

[5.8] Correctly escape single quotes in json paths
  • Loading branch information...
taylorotwell committed Apr 10, 2019
2 parents e62dff8 + 93f59c4 commit a056cd85d0ac59c457e25b2bdea54813f1d8b128
Showing with 25 additions and 0 deletions.
  1. +2 −0 src/Illuminate/Database/Query/Grammars/Grammar.php
  2. +23 −0 tests/Database/DatabaseQueryBuilderTest.php
@@ -1119,6 +1119,8 @@ protected function wrapJsonFieldAndPath($column)
*/
protected function wrapJsonPath($value, $delimiter = '->')
{
$value = preg_replace("/([\\\\]+)?\\'/", "\\'", $value);
return '\'$."'.str_replace($delimiter, '"."', $value).'"\'';
}
@@ -2252,6 +2252,29 @@ public function testMySqlWrappingJsonWithBooleanAndIntegerThatLooksLikeOne()
$this->assertEquals('select * from `users` where json_extract(`items`, \'$."available"\') = true and json_extract(`items`, \'$."active"\') = false and json_unquote(json_extract(`items`, \'$."number_available"\')) = ?', $builder->toSql());
}
public function testJsonPathEscaping()
{
$expectedWithJsonEscaped = <<<SQL
select json_unquote(json_extract(`json`, '$."\'))#"'))
SQL;
$builder = $this->getMySqlBuilder();
$builder->select("json->'))#");
$this->assertEquals($expectedWithJsonEscaped, $builder->toSql());
$builder = $this->getMySqlBuilder();
$builder->select("json->\'))#");
$this->assertEquals($expectedWithJsonEscaped, $builder->toSql());
$builder = $this->getMySqlBuilder();
$builder->select("json->\\'))#");
$this->assertEquals($expectedWithJsonEscaped, $builder->toSql());
$builder = $this->getMySqlBuilder();
$builder->select("json->\\\'))#");
$this->assertEquals($expectedWithJsonEscaped, $builder->toSql());
}
public function testMySqlWrappingJson()
{
$builder = $this->getMySqlBuilder();

0 comments on commit a056cd8

Please sign in to comment.
You can’t perform that action at this time.