BaseBuilder should only turn off Connection's setEscapeFlags when run…

…ning a query to enable straight calls to query to work. Fixes #1705
codeigniter4 · Feb 7, 2019 · 36fbb8e · 36fbb8e
1 parent bd8cee9
commit 36fbb8e
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 19 deletions.
diff --git a/system/Database/BaseBuilder.php b/system/Database/BaseBuilder.php
@@ -227,9 +227,6 @@ public function __construct($tableName, ConnectionInterface &$db, array $options
 
 		$this->db = $db;
 
-		// turn off automatic escape flags
-		$this->db->setEscapeFlags(false);
-
 		$this->from($tableName);
 
 		if (! empty($options))
@@ -1448,7 +1445,11 @@ public function get(int $limit = null, int $offset = 0, $returnSQL = false, $res
 			$this->limit($limit, $offset);
 		}
 
-		$result = $returnSQL ? $this->getCompiledSelect() : $this->db->query($this->compileSelect(), $this->binds);
+		$result = $returnSQL
+			? $this->getCompiledSelect()
+			: $this->db
+				->setEscapeFlags(false)
+				->query($this->compileSelect(), $this->binds);
 
 		if ($reset === true)
 		{
@@ -1486,7 +1487,7 @@ public function countAll($reset = true, $test = false)
 			return $sql;
 		}
 
-		$query = $this->db->query($sql);
+		$query = $this->db->setEscapeFlags(false)->query($sql);
 		if (empty($query->getResult()))
 		{
 			return 0;
@@ -1535,7 +1536,9 @@ public function countAllResults($reset = true, $test = false)
 			return $sql;
 		}
 
-		$result = $this->db->query($sql, $this->binds);
+		$result = $this->db
+			->setEscapeFlags(false)
+			->query($sql, $this->binds);
 
 		if ($reset === true)
 		{
@@ -1584,7 +1587,9 @@ public function getWhere($where = null, $limit = null, $offset = null)
 			$this->limit($limit, $offset);
 		}
 
-		$result = $this->db->query($this->compileSelect(), $this->binds);
+		$result = $this->db
+			->setEscapeFlags(false)
+			->query($this->compileSelect(), $this->binds);
 		$this->resetSelect();
 
 		return $result;
@@ -1649,7 +1654,9 @@ public function insertBatch($set = null, $escape = null, $batchSize = 100, $test
 			}
 			else
 			{
-				$this->db->query($sql, $this->binds);
+				$this->db
+					->setEscapeFlags(false)
+					->query($sql, $this->binds);
 				$affected_rows += $this->db->affectedRows();
 			}
 		}
@@ -1804,7 +1811,7 @@ public function insert($set = null, $escape = null, $test = false)
 		{
 			$this->resetWrite();
 
-			$result = $this->db->query($sql, $this->binds);
+			$result = $this->db->setEscapeFlags(false)->query($sql, $this->binds);
 
 			// Clear our binds so we don't eat up memory
 			$this->binds = [];
@@ -1893,7 +1900,7 @@ public function replace($set = null, $returnSQL = false)
 
 		$this->resetWrite();
 
-		return $returnSQL ? $sql : $this->db->query($sql, $this->binds);
+		return $returnSQL ? $sql : $this->db->setEscapeFlags(false)->query($sql, $this->binds);
 	}
 
 	//--------------------------------------------------------------------
@@ -2006,7 +2013,7 @@ public function update($set = null, $where = null, int $limit = null, $test = fa
 		{
 			$this->resetWrite();
 
-			if ($this->db->query($sql, $this->binds))
+			if ($this->db->setEscapeFlags(false)->query($sql, $this->binds))
 			{
 				// Clear our binds so we don't eat up memory
 				$this->binds = [];
@@ -2140,7 +2147,7 @@ public function updateBatch($set = null, $index = null, $batchSize = 100, $retur
 			}
 			else
 			{
-				$this->db->query($sql, $this->binds);
+				$this->db->setEscapeFlags(false)->query($sql, $this->binds);
 				$affected_rows += $this->db->affectedRows();
 			}
 
@@ -2267,7 +2274,7 @@ public function emptyTable($test = false)
 
 		$this->resetWrite();
 
-		return $this->db->query($sql);
+		return $this->db->setEscapeFlags(false)->query($sql);
 	}
 
 	//--------------------------------------------------------------------
@@ -2296,7 +2303,7 @@ public function truncate($test = false)
 
 		$this->resetWrite();
 
-		return $this->db->query($sql);
+		return $this->db->setEscapeFlags(false)->query($sql);
 	}
 
 	//--------------------------------------------------------------------
@@ -2396,7 +2403,7 @@ public function delete($where = '', $limit = null, $reset_data = true, $returnSQ
 			$this->resetWrite();
 		}
 
-		return ($returnSQL === true) ? $sql : $this->db->query($sql, $this->binds);
+		return ($returnSQL === true) ? $sql : $this->db->setEscapeFlags(false)->query($sql, $this->binds);
 	}
 
 	//--------------------------------------------------------------------
@@ -2415,7 +2422,7 @@ public function increment(string $column, int $value = 1)
 
 		$sql = $this->_update($this->QBFrom[0], [$column => "{$column} + {$value}"]);
 
-		return $this->db->query($sql, $this->binds);
+		return $this->db->setEscapeFlags(false)->query($sql, $this->binds);
 	}
 
 	//--------------------------------------------------------------------
@@ -2434,7 +2441,7 @@ public function decrement(string $column, int $value = 1)
 
 		$sql = $this->_update($this->QBFrom[0], [$column => "{$column}-{$value}"]);
 
-		return $this->db->query($sql, $this->binds);
+		return $this->db->setEscapeFlags(false)->query($sql, $this->binds);
 	}
 
 	//--------------------------------------------------------------------

diff --git a/system/Database/Query.php b/system/Database/Query.php
@@ -434,8 +434,6 @@ protected function matchNamedBinds(string $sql, array $binds)
 			}
 
 			$replacers[":{$placeholder}:"] = $escapedValue;
-
-			//          $sql = preg_replace('|:' . $placeholder . '(?!\w)|', $escapedValue, $sql);
 		}
 
 		$sql = strtr($sql, $replacers);

diff --git a/tests/system/Database/BaseQueryTest.php b/tests/system/Database/BaseQueryTest.php
@@ -253,4 +253,41 @@ public function testSimilarNamedBinds()
 	}
 
 	//--------------------------------------------------------------------
+
+	/**
+	 * @see https://github.com/codeigniter4/CodeIgniter4/issues/1705
+	 */
+	public function testSetQueryBindsWithSetEscapeTrue()
+	{
+		$query = new Query($this->db);
+
+		$query->setQuery('UPDATE user_table SET `x` = NOW() WHERE `id` = :id:', ['id' => 22], true);
+
+		$expected = 'UPDATE user_table SET `x` = NOW() WHERE `id` = 22';
+
+		$this->assertEquals($expected, $query->getQuery());
+	}
+
+	/**
+	 * @see https://github.com/codeigniter4/CodeIgniter4/issues/1705
+	 */
+	public function testSetQueryBindsWithSetEscapeFalse()
+	{
+		$query = new Query($this->db);
+
+		// The only time setQuery is called with setEscape = false
+		// is when the query builder has already stored the escaping info...
+		$binds = [
+			'id' => [
+				22,
+				1,
+			],
+		];
+
+		$query->setQuery('UPDATE user_table SET `x` = NOW() WHERE `id` = :id:', $binds, false);
+
+		$expected = 'UPDATE user_table SET `x` = NOW() WHERE `id` = 22';
+
+		$this->assertEquals($expected, $query->getQuery());
+	}
 }
-Original file line number
+Diff line change
@@ Expand Up @@
     			}
     			$replacers[":{$placeholder}:"] = $escapedValue;
-    			//          $sql = preg_replace('|:' . $placeholder . '(?!\w)|', $escapedValue, $sql);
     		}
     		$sql = strtr($sql, $replacers);
@@ Expand Down @@