From 0118d484509c06254bbc8f392ab2eb6ca06ea18a Mon Sep 17 00:00:00 2001 From: Tymoteusz Motylewski Date: Fri, 24 Apr 2020 23:14:15 +0200 Subject: [PATCH] Fix SQL query quoting/casting when type is passed to where function The $type variable can be both string or int, so before comparing it to 'TYPE_CONDITION' string it has to be casted to avoid comparing integer zero with string (0 == 'TYPE_CONDITION') which will wrongly return true, and remove the information about type. Pass type provided to where function down the chain to allow automatic casting of arrays of values e.g. to int. This fixes following cases: 1) ->where('attr_table.store_id IN (?)', $storeIds, Zend_Db::INT_TYPE); 2) ->where('attr_table.store_id = ?', $storeId, Zend_Db::INT_TYPE); In both cases now passed value is correctly casted to int (either single value, or each value from array) Co-authored-by: Ihor Sviziev --- .../Magento/Framework/DB/Adapter/Pdo/Mysql.php | 7 ++++--- lib/internal/Magento/Framework/DB/Select.php | 11 ++++++----- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php b/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php index 7db91c06d9649..e4b2dad4a8108 100644 --- a/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php +++ b/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php @@ -21,6 +21,7 @@ use Magento\Framework\DB\Query\Generator as QueryGenerator; use Magento\Framework\DB\Select; use Magento\Framework\DB\SelectFactory; +use Magento\Framework\DB\Sql\Expression; use Magento\Framework\DB\Statement\Parameter; use Magento\Framework\Exception\LocalizedException; use Magento\Framework\Phrase; @@ -1511,10 +1512,10 @@ public function select() * Method revrited for handle empty arrays in value param * * @param string $text The text with a placeholder. - * @param mixed $value The value to quote. - * @param string $type OPTIONAL SQL datatype + * @param array|null|int|string|float|Expression|Select|\DateTimeInterface $value The value to quote. + * @param int|string|null $type OPTIONAL SQL datatype of the given value e.g. Zend_Db::FLOAT_TYPE or "INT" * @param integer $count OPTIONAL count of placeholders to replace - * @return string An SQL-safe quoted value placed into the orignal text. + * @return string An SQL-safe quoted value placed into the original text. */ public function quoteInto($text, $value, $type = null, $count = null) { diff --git a/lib/internal/Magento/Framework/DB/Select.php b/lib/internal/Magento/Framework/DB/Select.php index 075aa6b24faa7..4f79b0d314f1d 100644 --- a/lib/internal/Magento/Framework/DB/Select.php +++ b/lib/internal/Magento/Framework/DB/Select.php @@ -7,6 +7,7 @@ use Magento\Framework\App\ResourceConnection; use Magento\Framework\DB\Adapter\AdapterInterface; +use Magento\Framework\DB\Sql\Expression; /** * Class for SQL SELECT generation and results. @@ -107,19 +108,19 @@ public function __construct( * * * @param string $cond The WHERE condition. - * @param string|array|null $value OPTIONAL An optional single or array value to quote into the condition. - * @param string|int|null $type OPTIONAL The type of the given value - * @return \Magento\Framework\DB\Select + * @param array|null|int|string|float|Expression|Select|\DateTimeInterface $value The value to quote. + * @param int|string|null $type OPTIONAL SQL datatype of the given value e.g. Zend_Db::FLOAT_TYPE or "INT" + * @return Select */ public function where($cond, $value = null, $type = null) { if ($value === null && $type === null) { $value = ''; - } elseif ($type == self::TYPE_CONDITION) { + } elseif ((string)$type === self::TYPE_CONDITION) { $type = null; } if (is_array($value)) { - $cond = $this->getConnection()->quoteInto($cond, $value); + $cond = $this->getConnection()->quoteInto($cond, $value, $type); $value = null; } return parent::where($cond, $value, $type);