Merge pull request #5277 from kenjis/fix-escape-negative-integers

Fix db escape negative integers

system/Database/BaseConnection.php

@@ -565,7 +565,7 @@ abstract protected function execute(string $sql);
      *
      * @param mixed ...$binds
      *
-     * @return BaseResult|bool|Query
+     * @return BaseResult|bool|Query BaseResult when “read” type query, bool when “write” type query, Query when prepared query
      *
      * @todo BC set $queryClass default as null in 4.1
      */
@@ -955,6 +955,8 @@ public function getConnectDuration(int $decimals = 6): string
      * the correct identifiers.
      *
      * @param array|string $item
+     * @param bool         $prefixSingle Prefix an item with no segments?
+     * @param bool         $fieldExists  Supplied $item contains a field name?
      *
      * @return array|string
      */
@@ -1200,10 +1202,6 @@ public function escape($str)
             return ($str === false) ? 0 : 1;
         }
 
-        if (is_numeric($str) && $str < 0) {
-            return "'{$str}'";
-        }
-
         return $str ?? 'NULL';
     }
 

tests/system/Database/BaseQueryTest.php

@@ -345,6 +345,38 @@ public function testSetQueryBindsWithSetEscapeFalse()
         $this->assertSame($expected, $query->getQuery());
     }
 
+    /**
+     * @see https://github.com/codeigniter4/CodeIgniter4/issues/4973
+     */
+    public function testSetQueryBindsWithSetEscapeNegativeIntegers()
+    {
+        $query = new Query($this->db);
+
+        $query->setQuery(
+            'SELECT * FROM product WHERE date_pickup < DateAdd(month, ?, Convert(date, GetDate())',
+            [-6],
+            true
+        );
+
+        $expected = 'SELECT * FROM product WHERE date_pickup < DateAdd(month, -6, Convert(date, GetDate())';
+
+        $this->assertSame($expected, $query->getQuery());
+    }
+
+    public function testSetQueryNamedBindsWithNegativeIntegers()
+    {
+        $query = new Query($this->db);
+
+        $query->setQuery(
+            'SELECT * FROM product WHERE date_pickup < DateAdd(month, :num:, Convert(date, GetDate())',
+            ['num' => -6]
+        );
+
+        $expected = 'SELECT * FROM product WHERE date_pickup < DateAdd(month, -6, Convert(date, GetDate())';
+
+        $this->assertSame($expected, $query->getQuery());
+    }
+
     /**
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/2762
      */

tests/system/Database/Live/EscapeTest.php

@@ -38,9 +38,9 @@ protected function setUp(): void
      *
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/606
      */
-    public function testEscapeProtectsNegativeNumbers()
+    public function testDoesNotEscapeNegativeNumbers()
     {
-        $this->assertSame("'-100'", $this->db->escape(-100));
+        $this->assertSame(-100, $this->db->escape(-100));
     }
 
     public function testEscape()