Unverified Commit f021f1f3 authored by Cédric Anne's avatar Cédric Anne Committed by GitHub
Browse files

Merge pull request from GHSA-x93w-64x9-58qw



* Remove ability to use SQL expressions as string in criterion values

* Fix iterator syntax
Co-authored-by: default avatarJohan Cwiklinski <jcwiklinski@teclib.com>
parent 3dc4475c
......@@ -3,7 +3,15 @@
The present file will list all changes made to the project; according to the
[Keep a Changelog](http://keepachangelog.com/) project.
## [9.5.1] unreleased
## [9.5.2] unreleased
### API changes
#### Removed
- Ability to use SQL expressions as string in criterion values in SQL iterator (replaced by usage of `QueryExpression`).
## [9.5.1] 2020-07-16
## [9.5.0] 2020-07-07
......
......@@ -97,7 +97,7 @@ if (class_exists($_POST["itemtype"])
'glpi_networkports_networkports' => 'networkports_id_1',
'glpi_networkports' => 'id', [
'OR' => [
'glpi_networkports_networkports.networkports_id_2' => $DB->quoteName('glpi_networkports.id')
'glpi_networkports_networkports.networkports_id_2' => new QueryExpression($DB->quoteName('glpi_networkports.id'))
]
]
]
......
......@@ -396,12 +396,12 @@ class CronTask extends CommonDBTM{
// Build query for frequency and allowed hour
$WHERE[] = ['OR' => [
['AND' => [
['hourmin' => ['<', $DB->quoteName('hourmax')]],
['hourmin' => ['<', new QueryExpression($DB->quoteName('hourmax'))]],
'hourmin' => ['<=', $hour],
'hourmax' => ['>', $hour]
]],
['AND' => [
'hourmin' => ['>', $DB->quoteName('hourmax')],
'hourmin' => ['>', new QueryExpression($DB->quoteName('hourmax'))],
'OR' => [
'hourmin' => ['<=', $hour],
'hourmax' => ['>', $hour]
......
......@@ -1077,7 +1077,7 @@ class DBmysql {
$value = $value->getValue();
} else if ($value === null || $value === 'NULL' || $value === 'null') {
$value = 'NULL';
} else if (!preg_match("/^`.*?`$/", $value)) { //`field` is valid only for mysql :/
} else {
//phone numbers may start with '+' and will be considered as numeric
$value = "'$value'";
}
......
......@@ -589,8 +589,6 @@ class DBmysqlIterator implements Iterator, Countable {
return $value->getQuery();
} else if ($value instanceof \QueryExpression) {
return $value->getValue();
} else if (DBmysql::isNameQuoted($value)) { //FIXME: database related
return $value;
} else if ($value instanceof \QueryParam) {
return $value->getValue();
} else {
......
......@@ -393,7 +393,7 @@ class Report extends CommonGLPI{
'LINK' => 'networkports_id_1',
'PORT_1' => 'id', [
'OR' => [
'LINK.networkports_id_2' => $DB->quoteName('PORT_1.id')
'LINK.networkports_id_2' => new QueryExpression($DB->quoteName('PORT_1.id'))
]
]
]
......
......@@ -96,7 +96,7 @@ class DB extends \GLPITestCase {
[null, 'NULL'],
['null', 'NULL'],
['NULL', 'NULL'],
['`field`', '`field`'],
[new \QueryExpression('`field`'), '`field`'],
['`field', "'`field'"]
];
}
......
......@@ -562,7 +562,7 @@ class DBmysqlIterator extends DbTestCase {
$it = $this->it->execute('foo', ['bar' => 'val']);
$this->string($it->getSql())->isIdenticalTo("SELECT * FROM `foo` WHERE `bar` = 'val'");
$it = $this->it->execute('foo', ['bar' => '`field`']);
$it = $this->it->execute('foo', ['bar' => new \QueryExpression('`field`')]);
$this->string($it->getSql())->isIdenticalTo('SELECT * FROM `foo` WHERE `bar` = `field`');
$it = $this->it->execute('foo', ['bar' => '?']);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment