Merge pull request #118 from marcteyssier/4.2

Fix: protection on order column

composer.json

@@ -20,7 +20,7 @@
     ],
     "require" : {
         "php" : ">=7.0",
-        "mouf/magic-query" : "~1.1",
+        "mouf/magic-query" : "^1.2.1",
         "mouf/schema-analyzer": "^1.1",
         "doctrine/dbal": "~2.5",
         "doctrine/cache": "~1.5",
@@ -33,7 +33,7 @@
         "mouf/classname-mapper": "~1.0",
         "mouf/utils.common.doctrine-cache-wrapper": "~1.0",
         "logger/essentials" : "^0.1.9",
-        "greenlion/php-sql-parser": "^4.0"
+        "greenlion/php-sql-parser": "^4.1"
     },
     "require-dev" : {
         "phpunit/phpunit": "~5.5",

src/Mouf/Database/TDBM/QueryFactory/AbstractQueryFactory.php

@@ -104,7 +104,7 @@ protected function getColumnsList(string $mainTable, array $additionalTablesFetc
                         $additionalTablesFetch[] = $orderByColumn['table'];
                     }
                     if ($securedOrderBy) {
-                        $reconstructedOrderBys[] = ($orderByColumn['table'] !== null ? $orderByColumn['table'].'.' : '').$orderByColumn['column'].' '.$orderByColumn['direction'];
+                        $reconstructedOrderBys[] = ($orderByColumn['table'] !== null ? $connection->quoteIdentifier($orderByColumn['table']).'.' : '').$connection->quoteIdentifier($orderByColumn['column']).' '.$orderByColumn['direction'];
                     }
                 } elseif ($orderByColumn['type'] === 'expr') {
                     $sortColumnName = 'sort_column_'.$sortColumn;

tests/Mouf/Database/TDBM/TDBMDaoGeneratorTest.php

@@ -1022,6 +1022,7 @@ public function testCreateEmptyExtendedBean()
 
         // We are not filling no field that is part of dog table.
         $dog = new DogBean('Youki');
+        $dog->setOrder(1);
 
         $dogDao->save($dog);
     }
@@ -1048,12 +1049,13 @@ public function testTwoBranchesHierarchy()
     {
         // This test cases checks issue https://github.com/thecodingmachine/mouf/issues/131
 
-        $dogDao = new CatDao($this->tdbmService);
+        $catDao = new CatDao($this->tdbmService);
 
         // We are not filling no field that is part of dog table.
-        $dog = new CatBean('Mew');
+        $cat = new CatBean('Mew');
+        $cat->setOrder(2);
 
-        $dogDao->save($dog);
+        $catDao->save($cat);
     }
 
     /**
@@ -1160,4 +1162,22 @@ public function testOrderByException()
         $this->expectException(TDBMInvalidArgumentException::class);
         $user = $users[0];
     }
+
+    /**
+     * @depends testDaoGeneration
+     */
+    public function testOrderByProtectedColumn()
+    {
+        $animalDao = new AnimalDao($this->tdbmService);
+        $animals = $animalDao->findAll();
+        $animals = $animals->withOrder('`order` ASC');
+
+        $this->assertInstanceOf(DogBean::class, $animals[0]);
+        $this->assertInstanceOf(CatBean::class, $animals[1]);
+
+        $animals = $animals->withOrder('`order` DESC');
+
+        $this->assertInstanceOf(CatBean::class, $animals[0]);
+        $this->assertInstanceOf(DogBean::class, $animals[1]);
+    }
 }

tests/sql/tdbmunittest.sql

@@ -202,6 +202,7 @@ INSERT INTO `users_roles` (`id`, `user_id`, `role_id`) VALUES
 CREATE TABLE `animal` (
   `id` INT NOT NULL AUTO_INCREMENT,
   `name` VARCHAR(45) NOT NULL,
+  `order` INT NULL,
   PRIMARY KEY (`id`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 ALTER TABLE `animal`