Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[6.x] Limit expected bindings v2 #35972

Merged
merged 3 commits into from
Jan 21, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 21 additions & 10 deletions src/Illuminate/Database/Query/Builder.php
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,17 @@ public function fromRaw($expression, $bindings = [])
return $this;
}

/**
* Returns scalar type value from an unknown type of input.
*
* @param mixed $value
* @return mixed
*/
protected function scalarValue($value)
{
return is_array($value) ? head(Arr::flatten($value)) : $value;
}

/**
* Creates a subquery and parse it.
*
Expand Down Expand Up @@ -698,7 +709,7 @@ public function where($column, $operator = null, $value = null, $boolean = 'and'
);

if (! $value instanceof Expression) {
$this->addBinding(is_array($value) ? head($value) : $value, 'where');
$this->addBinding($this->scalarValue($value), 'where');
}

return $this;
Expand Down Expand Up @@ -1043,7 +1054,7 @@ public function whereBetween($column, array $values, $boolean = 'and', $not = fa

$this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not');

$this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where');
$this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'where');

return $this;
}
Expand Down Expand Up @@ -1111,7 +1122,7 @@ public function whereDate($column, $operator, $value = null, $boolean = 'and')
$value, $operator, func_num_args() === 2
);

$value = is_array($value) ? head($value) : $value;
$value = $this->scalarValue($value);

if ($value instanceof DateTimeInterface) {
$value = $value->format('Y-m-d');
Expand Down Expand Up @@ -1152,7 +1163,7 @@ public function whereTime($column, $operator, $value = null, $boolean = 'and')
$value, $operator, func_num_args() === 2
);

$value = is_array($value) ? head($value) : $value;
$value = $this->scalarValue($value);

if ($value instanceof DateTimeInterface) {
$value = $value->format('H:i:s');
Expand Down Expand Up @@ -1193,7 +1204,7 @@ public function whereDay($column, $operator, $value = null, $boolean = 'and')
$value, $operator, func_num_args() === 2
);

$value = is_array($value) ? head($value) : $value;
$value = $this->scalarValue($value);

if ($value instanceof DateTimeInterface) {
$value = $value->format('d');
Expand Down Expand Up @@ -1238,7 +1249,7 @@ public function whereMonth($column, $operator, $value = null, $boolean = 'and')
$value, $operator, func_num_args() === 2
);

$value = is_array($value) ? head($value) : $value;
$value = $this->scalarValue($value);

if ($value instanceof DateTimeInterface) {
$value = $value->format('m');
Expand Down Expand Up @@ -1283,7 +1294,7 @@ public function whereYear($column, $operator, $value = null, $boolean = 'and')
$value, $operator, func_num_args() === 2
);

$value = is_array($value) ? head($value) : $value;
$value = $this->scalarValue($value);

if ($value instanceof DateTimeInterface) {
$value = $value->format('Y');
Expand Down Expand Up @@ -1593,7 +1604,7 @@ public function whereJsonLength($column, $operator, $value = null, $boolean = 'a
$this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean');

if (! $value instanceof Expression) {
$this->addBinding((int) $value);
$this->addBinding((int) $this->scalarValue($value));
Copy link
Contributor

@u01jmg3 u01jmg3 Jan 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary as we are casting to an integer? I guess it could still help if an array is provided.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can’t really say. Casting an array into integer returns 1 - so there’s that. Really depends on what’s expected when one passes an array there.

}

return $this;
Expand Down Expand Up @@ -1742,7 +1753,7 @@ public function having($column, $operator = null, $value = null, $boolean = 'and
$this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean');

if (! $value instanceof Expression) {
$this->addBinding(is_array($value) ? head($value) : $value, 'having');
$this->addBinding($this->scalarValue($value), 'having');
}

return $this;
Expand Down Expand Up @@ -1780,7 +1791,7 @@ public function havingBetween($column, array $values, $boolean = 'and', $not = f

$this->havings[] = compact('type', 'column', 'values', 'boolean', 'not');

$this->addBinding($this->cleanBindings($values), 'having');
$this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'having');

return $this;
}
Expand Down
28 changes: 26 additions & 2 deletions tests/Database/DatabaseQueryBuilderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,11 @@ public function testWheresWithArrayValue()
$builder->select('*')->from('users')->where('id', '<>', [12, 30]);
$this->assertSame('select * from "users" where "id" <> ?', $builder->toSql());
$this->assertEquals([0 => 12], $builder->getBindings());

$builder = $this->getBuilder();
$builder->select('*')->from('users')->where('id', '=', [[12, 30]]);
$this->assertSame('select * from "users" where "id" = ?', $builder->toSql());
$this->assertEquals([0 => 12], $builder->getBindings());
}

public function testMySqlWrappingProtectsQuotationMarks()
Expand Down Expand Up @@ -649,6 +654,16 @@ public function testWhereBetweens()
$this->assertSame('select * from "users" where "id" between ? and ?', $builder->toSql());
$this->assertEquals([0 => 1, 1 => 2], $builder->getBindings());

$builder = $this->getBuilder();
$builder->select('*')->from('users')->whereBetween('id', [[1, 2, 3]]);
$this->assertSame('select * from "users" where "id" between ? and ?', $builder->toSql());
$this->assertEquals([0 => 1, 1 => 2], $builder->getBindings());

$builder = $this->getBuilder();
$builder->select('*')->from('users')->whereBetween('id', [[1], [2, 3]]);
$this->assertSame('select * from "users" where "id" between ? and ?', $builder->toSql());
$this->assertEquals([0 => 1, 1 => 2], $builder->getBindings());

$builder = $this->getBuilder();
$builder->select('*')->from('users')->whereNotBetween('id', [1, 2]);
$this->assertSame('select * from "users" where "id" not between ? and ?', $builder->toSql());
Expand Down Expand Up @@ -1167,10 +1182,19 @@ public function testHavings()
$builder = $this->getBuilder();
$builder->select(['category', new Raw('count(*) as "total"')])->from('item')->where('department', '=', 'popular')->groupBy('category')->having('total', '>', 3);
$this->assertSame('select "category", count(*) as "total" from "item" where "department" = ? group by "category" having "total" > ?', $builder->toSql());
}

public function testHavingBetweens()
{
$builder = $this->getBuilder();
$builder->select('*')->from('users')->havingBetween('last_login_date', ['2018-11-16', '2018-12-16']);
$this->assertSame('select * from "users" having "last_login_date" between ? and ?', $builder->toSql());
$builder->select('*')->from('users')->havingBetween('id', [1, 2, 3]);
$this->assertSame('select * from "users" having "id" between ? and ?', $builder->toSql());
$this->assertEquals([0 => 1, 1 => 2], $builder->getBindings());

$builder = $this->getBuilder();
$builder->select('*')->from('users')->havingBetween('id', [[1, 2], [3, 4]]);
$this->assertSame('select * from "users" having "id" between ? and ?', $builder->toSql());
$this->assertEquals([0 => 1, 1 => 2], $builder->getBindings());
}

public function testHavingShortcut()
Expand Down