Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LIKE ESCAPE and QueryBuilder::createNamedParameter #32382

Closed
DeepDiver1975 opened this issue Aug 20, 2018 · 6 comments
Closed

LIKE ESCAPE and QueryBuilder::createNamedParameter #32382

DeepDiver1975 opened this issue Aug 20, 2018 · 6 comments
Assignees
@DeepDiver1975
Milestone
10.1.0

Comments

@DeepDiver1975
Copy link
Member

Steps to reproduce

  1. use like() and createNamedParameter() with a pattern which holds a wildcard (e.g. _) and escapeLikeParameter
  2. run query on a data set which matches the pattern

Expected behaviour

the record shall be within the result set

Actual behaviour

the record is not in the result set

Server configuration

Database:
all

ownCloud version: (see ownCloud admin page)
10.0.x and master are affected
@DeepDiver1975
Copy link
Member Author

Analysis

Queries which use ? as placeholder are working because the necessary ESCAPE key word is added in the adapters:

core/lib/private/DB/AdapterSqlite.php

Line 42 in 6b36c56

$statement = \preg_replace('( I?LIKE \?)', '$0 ESCAPE \'\\\'', $statement);

The regex does not match in case of queries which have been built using createNamesParameter() because :dcValue is used as placeholder.

@DeepDiver1975
Copy link
Member Author

With dbal 2.8.0 the escape char can be specified in the like() method - potential fix approach for master: #32372

stable10 uses a different dbal version - we cannot yet update because of php version requirements

@DeepDiver1975
Copy link
Member Author

for stable10 we could add ESCAPE within the expression builder like manually

@DeepDiver1975
Copy link
Member Author

never the less the tricky part is to make sure the queries which do not use the querybuilder get the proper ESCAPE added

@ownclouders
Copy link
Contributor

GitMate.io thinks possibly related issues are #32372 (Add escape character to like query), #16580 (LIKE queries do not properly escape special characters), #17862 (Prefix QueryBuilder stuff with PREFIX), #3494 (Property Serializer Escaping Issue), and #9046 (escape t() variables by default).

@DeepDiver1975
Copy link
Member Author

seems like the easiest fix is to convert all createNamedParameter() into createPositionalParameter()

@DeepDiver1975 DeepDiver1975 mentioned this issue Aug 20, 2018
Merged
10 tasks
@DeepDiver1975 DeepDiver1975 self-assigned this Aug 22, 2018
@DeepDiver1975 DeepDiver1975 added this to the development milestone Aug 22, 2018
@PVince81 PVince81 modified the milestones: development, QA Jan 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DeepDiver1975 DeepDiver1975

Labels
None yet
Projects
None yet
Milestone
10.1.0
Development

No branches or pull requests
3 participants
@PVince81 @DeepDiver1975 @ownclouders