Skip to content

Commit bf08df2

Browse files
authored
Improve SQL quoting and fix docblock issues (#1003)
- Fix SQL Server sp_rename to use quoteString() for proper escaping - Fix foreign key column quoting in PostgreSQL and SQL Server adapters to use quoteColumnName() instead of hard-coded quotes - Fix MigrationHelper::tableStatement() to escape table names - Fix @params typos in BaseMigration docblocks (should be @param) - Fix copy-paste docblock errors in test seed files
1 parent 49b3db5 commit bf08df2

File tree

3 files changed

+24
-23
lines changed

3 files changed

+24
-23
lines changed

src/Db/Adapter/PostgresAdapter.php

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -948,10 +948,11 @@ protected function getForeignKeySqlDefinition(ForeignKey $foreignKey, string $ta
948948
$constraintName = $foreignKey->getName() ?: (
949949
$parts['table'] . '_' . implode('_', $foreignKey->getColumns()) . '_fkey'
950950
);
951+
$columnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getColumns()));
952+
$refColumnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getReferencedColumns()));
951953
$def = ' CONSTRAINT ' . $this->quoteColumnName($constraintName) .
952-
' FOREIGN KEY ("' . implode('", "', $foreignKey->getColumns()) . '")' .
953-
" REFERENCES {$this->quoteTableName($foreignKey->getReferencedTable())} (\"" .
954-
implode('", "', $foreignKey->getReferencedColumns()) . '")';
954+
' FOREIGN KEY (' . $columnList . ')' .
955+
' REFERENCES ' . $this->quoteTableName($foreignKey->getReferencedTable()) . ' (' . $refColumnList . ')';
955956
if ($foreignKey->getOnDelete()) {
956957
$def .= " ON DELETE {$foreignKey->getOnDelete()}";
957958
}

src/Db/Adapter/SqlserverAdapter.php

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -236,9 +236,9 @@ protected function getRenameTableInstructions(string $tableName, string $newTabl
236236
{
237237
$this->updateCreatedTableName($tableName, $newTableName);
238238
$sql = sprintf(
239-
"EXEC sp_rename '%s', '%s'",
240-
$tableName,
241-
$newTableName,
239+
'EXEC sp_rename %s, %s',
240+
$this->quoteString($tableName),
241+
$this->quoteString($newTableName),
242242
);
243243

244244
return new AlterInstructions([], [$sql]);
@@ -377,23 +377,21 @@ protected function getRenameColumnInstructions(string $tableName, string $column
377377

378378
$oldConstraintName = "DF_{$tableName}_{$columnName}";
379379
$newConstraintName = "DF_{$tableName}_{$newColumnName}";
380-
$sql = <<<SQL
381-
IF (OBJECT_ID('$oldConstraintName', 'D') IS NOT NULL)
380+
$sql = sprintf(
381+
'IF (OBJECT_ID(%s, \'D\') IS NOT NULL)
382382
BEGIN
383-
EXECUTE sp_rename N'%s', N'%s', N'OBJECT'
384-
END
385-
SQL;
386-
$instructions->addPostStep(sprintf(
387-
$sql,
388-
$oldConstraintName,
389-
$newConstraintName,
390-
));
383+
EXECUTE sp_rename %s, %s, N\'OBJECT\'
384+
END',
385+
$this->quoteString($oldConstraintName),
386+
$this->quoteString($oldConstraintName),
387+
$this->quoteString($newConstraintName),
388+
);
389+
$instructions->addPostStep($sql);
391390

392391
$instructions->addPostStep(sprintf(
393-
"EXECUTE sp_rename N'%s.%s', N'%s', 'COLUMN' ",
394-
$tableName,
395-
$columnName,
396-
$newColumnName,
392+
'EXECUTE sp_rename %s, %s, N\'COLUMN\'',
393+
$this->quoteString($tableName . '.' . $columnName),
394+
$this->quoteString($newColumnName),
397395
));
398396

399397
return $instructions;
@@ -867,10 +865,12 @@ protected function getIndexSqlDefinition(Index $index, string $tableName): strin
867865
protected function getForeignKeySqlDefinition(ForeignKey $foreignKey, string $tableName): string
868866
{
869867
$constraintName = $foreignKey->getName() ?: $tableName . '_' . implode('_', $foreignKey->getColumns());
868+
$columnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getColumns()));
869+
$refColumnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getReferencedColumns()));
870870

871871
$def = ' CONSTRAINT ' . $this->quoteColumnName($constraintName);
872-
$def .= ' FOREIGN KEY ("' . implode('", "', $foreignKey->getColumns()) . '")';
873-
$def .= " REFERENCES {$this->quoteTableName($foreignKey->getReferencedTable())} (\"" . implode('", "', $foreignKey->getReferencedColumns()) . '")';
872+
$def .= ' FOREIGN KEY (' . $columnList . ')';
873+
$def .= ' REFERENCES ' . $this->quoteTableName($foreignKey->getReferencedTable()) . ' (' . $refColumnList . ')';
874874
if ($foreignKey->getOnDelete()) {
875875
$def .= " ON DELETE {$foreignKey->getOnDelete()}";
876876
}

src/View/Helper/MigrationHelper.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -625,7 +625,7 @@ public function tableStatement(string $table, bool $reset = false): string
625625
if (!isset($this->tableStatementStatus[$table])) {
626626
$this->tableStatementStatus[$table] = true;
627627

628-
return '$this->table(\'' . $table . '\')';
628+
return '$this->table(\'' . addslashes($table) . '\')';
629629
}
630630

631631
return '';

0 commit comments

Comments
 (0)