Merge pull request #6332 from sclubricants/DbEscape

kenjis · web-flow · commit 6344fc764bcf · 2022-08-25T15:43:35.000+09:00
Add RawSql to BaseConnection-&gt;escape()
diff --git a/system/Database/BaseBuilder.php b/system/Database/BaseBuilder.php
@@ -2698,7 +2698,7 @@ protected function objectToArray($object)
 
         foreach (get_object_vars($object) as $key => $val) {
             // There are some built in keys we need to ignore for this conversion
-            if (! is_object($val) && ! is_array($val) && $key !== '_parent_name') {
+            if ((! is_object($val) || $val instanceof RawSql) && ! is_array($val) && $key !== '_parent_name') {
                 $array[$key] = $val;
             }
         }
diff --git a/system/Database/BaseConnection.php b/system/Database/BaseConnection.php
@@ -1243,6 +1243,10 @@ public function escape($str)
         }
 
         if (is_string($str) || (is_object($str) && method_exists($str, '__toString'))) {
+            if ($str instanceof RawSql) {
+                return $str->__toString();
+            }
+
             return "'" . $this->escapeString($str) . "'";
         }
 
diff --git a/system/Database/Postgre/Connection.php b/system/Database/Postgre/Connection.php
@@ -13,6 +13,7 @@
 
 use CodeIgniter\Database\BaseConnection;
 use CodeIgniter\Database\Exceptions\DatabaseException;
+use CodeIgniter\Database\RawSql;
 use ErrorException;
 use stdClass;
 
@@ -181,6 +182,10 @@ public function escape($str)
         }
 
         if (is_string($str) || (is_object($str) && method_exists($str, '__toString'))) {
+            if ($str instanceof RawSql) {
+                return $str->__toString();
+            }
+
             return pg_escape_literal($this->connID, $str);
         }
 
diff --git a/tests/system/Database/Builder/InsertTest.php b/tests/system/Database/Builder/InsertTest.php
@@ -13,6 +13,7 @@
 
 use CodeIgniter\Database\Exceptions\DatabaseException;
 use CodeIgniter\Database\Query;
+use CodeIgniter\Database\RawSql;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\Mock\MockConnection;
 
@@ -85,6 +86,21 @@ public function testInsertObject()
         $this->assertSame($expectedBinds, $builder->getBinds());
     }
 
+    public function testInsertObjectWithRawSql()
+    {
+        $builder = $this->db->table('jobs');
+
+        $insertData = (object) [
+            'id'   => 1,
+            'name' => new RawSql('CONCAT("id", \'Grocery Sales\')'),
+        ];
+        $builder->testMode()->insert($insertData, true);
+
+        $expectedSQL = 'INSERT INTO "jobs" ("id", "name") VALUES (1, CONCAT("id", \'Grocery Sales\'))';
+
+        $this->assertSame($expectedSQL, str_replace("\n", ' ', $builder->getCompiledInsert()));
+    }
+
     /**
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/5365
      */
diff --git a/tests/system/Database/Live/EscapeTest.php b/tests/system/Database/Live/EscapeTest.php
@@ -11,6 +11,7 @@
 
 namespace CodeIgniter\Database\Live;
 
+use CodeIgniter\Database\RawSql;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\DatabaseTestTrait;
 
@@ -78,4 +79,22 @@ public function testEscapeLikeStringDirect()
             $this->expectNotToPerformAssertions();
         }
     }
+
+    public function testEscapeStringArray()
+    {
+        $stringArray = [' A simple string ', new RawSql('CURRENT_TIMESTAMP()'), false, null];
+
+        $escapedString = $this->db->escape($stringArray);
+
+        $this->assertSame("' A simple string '", $escapedString[0]);
+        $this->assertSame('CURRENT_TIMESTAMP()', $escapedString[1]);
+
+        if ($this->db->DBDriver === 'Postgre') {
+            $this->assertSame('FALSE', $escapedString[2]);
+        } else {
+            $this->assertSame(0, $escapedString[2]);
+        }
+
+        $this->assertSame('NULL', $escapedString[3]);
+    }
 }
diff --git a/tests/system/Database/Live/MySQLi/RawSqlTest.php b/tests/system/Database/Live/MySQLi/RawSqlTest.php
@@ -0,0 +1,203 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Database\Live\MySQLi;
+
+use CodeIgniter\Database\RawSql;
+use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\DatabaseTestTrait;
+use stdclass;
+use Tests\Support\Database\Seeds\CITestSeeder;
+
+/**
+ * @group DatabaseLive
+ *
+ * @internal
+ */
+final class RawSqlTest extends CIUnitTestCase
+{
+    use DatabaseTestTrait;
+
+    protected $refresh = true;
+    protected $seed    = CITestSeeder::class;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        if ($this->db->DBDriver !== 'MySQLi') {
+            $this->markTestSkipped('Only MySQLi has its own implementation.');
+        } else {
+            $this->addSqlFunction();
+        }
+    }
+
+    protected function addSqlFunction()
+    {
+        $this->db->query('DROP FUNCTION IF EXISTS setDateTime');
+
+        $sql = "CREATE FUNCTION setDateTime ( setDate varchar(20) )
+                RETURNS DATETIME
+                READS SQL DATA
+                DETERMINISTIC
+                BEGIN
+                RETURN CONVERT(CONCAT(setDate,' ','01:01:11'), DATETIME);
+                END;";
+
+        $this->db->query($sql);
+    }
+
+    public function testRawSqlUpdateObject()
+    {
+        $data = [];
+
+        $row             = new stdclass();
+        $row->email      = 'derek@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-01-01')");
+        $data[]          = $row;
+
+        $row             = new stdclass();
+        $row->email      = 'ahmadinejad@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-01-01')");
+        $data[]          = $row;
+
+        $this->db->table('user')->updateBatch($data, 'email');
+
+        $row->created_at = new RawSql("setDateTime('2022-01-11')");
+
+        $this->db->table('user')->update($row, "email = 'ahmadinejad@world.com'");
+
+        $this->seeInDatabase('user', ['email' => 'derek@world.com', 'created_at' => '2022-01-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'ahmadinejad@world.com', 'created_at' => '2022-01-11 01:01:11']);
+    }
+
+    public function testRawSqlSetUpdateObject()
+    {
+        $data = [];
+
+        $row             = new stdclass();
+        $row->email      = 'derek@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-02-01')");
+        $data[]          = $row;
+
+        $row             = new stdclass();
+        $row->email      = 'ahmadinejad@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-02-01')");
+        $data[]          = $row;
+
+        $this->db->table('user')->setUpdateBatch($data, 'email')->updateBatch(null, 'email');
+
+        $row->created_at = new RawSql("setDateTime('2022-02-11')");
+
+        $this->db->table('user')->set($row)->update(null, "email = 'ahmadinejad@world.com'");
+
+        $this->seeInDatabase('user', ['email' => 'derek@world.com', 'created_at' => '2022-02-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'ahmadinejad@world.com', 'created_at' => '2022-02-11 01:01:11']);
+    }
+
+    public function testRawSqlUpdateArray()
+    {
+        $data = [
+            ['email' => 'derek@world.com', 'created_at' => new RawSql("setDateTime('2022-03-01')")],
+            ['email' => 'ahmadinejad@world.com', 'created_at' => new RawSql("setDateTime('2022-03-01')")],
+        ];
+
+        $this->db->table('user')->updateBatch($data, 'email');
+
+        $this->seeInDatabase('user', ['email' => 'derek@world.com', 'created_at' => '2022-03-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'ahmadinejad@world.com', 'created_at' => '2022-03-01 01:01:11']);
+
+        $data = ['email' => 'ahmadinejad@world.com', 'created_at' => new RawSql("setDateTime('2022-03-11')")];
+
+        $this->db->table('user')->update($data, "email = 'ahmadinejad@world.com'");
+
+        $this->seeInDatabase('user', ['email' => 'ahmadinejad@world.com', 'created_at' => '2022-03-11 01:01:11']);
+    }
+
+    public function testRawSqlInsertArray()
+    {
+        $data = [
+            ['email' => 'pedro@world.com', 'created_at' => new RawSql("setDateTime('2022-04-01')")],
+            ['email' => 'todd@world.com', 'created_at' => new RawSql("setDateTime('2022-04-01')")],
+        ];
+
+        $this->db->table('user')->insertBatch($data);
+
+        $this->seeInDatabase('user', ['email' => 'pedro@world.com', 'created_at' => '2022-04-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'todd@world.com', 'created_at' => '2022-04-01 01:01:11']);
+
+        $data = ['email' => 'jason@world.com', 'created_at' => new RawSql("setDateTime('2022-04-11')")];
+
+        $this->db->table('user')->insert($data);
+
+        $this->seeInDatabase('user', ['email' => 'jason@world.com', 'created_at' => '2022-04-11 01:01:11']);
+    }
+
+    public function testRawSqlInsertObject()
+    {
+        $data = [];
+
+        $row             = new stdclass();
+        $row->email      = 'tony@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-05-01')");
+        $data[]          = $row;
+
+        $row             = new stdclass();
+        $row->email      = 'sara@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-05-01')");
+        $data[]          = $row;
+
+        $this->db->table('user')->insertBatch($data);
+
+        $row->email      = 'jessica@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-05-11')");
+
+        $this->db->table('user')->insert($row);
+
+        $this->seeInDatabase('user', ['email' => 'tony@world.com', 'created_at' => '2022-05-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'sara@world.com', 'created_at' => '2022-05-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'jessica@world.com', 'created_at' => '2022-05-11 01:01:11']);
+    }
+
+    public function testRawSqlSetInsertObject()
+    {
+        $data = [];
+
+        $row             = new stdclass();
+        $row->email      = 'laura@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-06-01')");
+        $data[]          = $row;
+
+        $row             = new stdclass();
+        $row->email      = 'travis@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-06-01')");
+        $data[]          = $row;
+
+        $this->db->table('user')->setInsertBatch($data)->insertBatch();
+
+        $this->seeInDatabase('user', ['email' => 'laura@world.com', 'created_at' => '2022-06-01 01:01:11']);
+        $this->seeInDatabase('user', ['email' => 'travis@world.com', 'created_at' => '2022-06-01 01:01:11']);
+
+        $row->email      = 'steve@world.com';
+        $row->created_at = new RawSql("setDateTime('2022-06-11')");
+
+        $this->db->table('user')->set($row)->insert();
+
+        $this->seeInDatabase('user', ['email' => 'steve@world.com', 'created_at' => '2022-06-11 01:01:11']);
+
+        $this->db->table('user')
+            ->set('email', 'dan@world.com')
+            ->set('created_at', new RawSql("setDateTime('2022-06-13')"))
+            ->insert();
+
+        $this->seeInDatabase('user', ['email' => 'dan@world.com', 'created_at' => '2022-06-13 01:01:11']);
+    }
+}
diff --git a/user_guide_src/source/changelogs/v4.3.0.rst b/user_guide_src/source/changelogs/v4.3.0.rst
@@ -69,6 +69,7 @@ Others
 - Help information for a spark command can now be accessed using the ``--help`` option (e.g. ``php spark serve --help``)
 - Added new Form helper function :php:func:`validation_errors()`, :php:func:`validation_list_errors()` and :php:func:`validation_show_error()` to display Validation Errors.
 - Now you can autoload helpers by **app/Config/Autoload.php**.
+- ``BaseConnection::escape()`` now excludes the ``RawSql`` data type. This allows passing SQL strings into data.
 
 Changes
 *******
diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst
@@ -99,12 +99,14 @@ It's a very good security practice to escape your data before submitting
 it into your database. CodeIgniter has three methods that help you do
 this:
 
+.. _database-queries-db_escape:
+
 1. $db->escape()
 ================
 
-This function determines the data type so
-that it can escape only string data. It also automatically adds
-single quotes around the data so you don't have to:
+This function determines the data type so that it can escape only string
+data. It also automatically adds single quotes around the data so you
+don't have to:
 
 .. literalinclude:: queries/009.php
 
diff --git a/user_guide_src/source/database/query_builder.rst b/user_guide_src/source/database/query_builder.rst
@@ -800,7 +800,9 @@ Here is an example using an object:
 
 The first parameter is an object.
 
-.. note:: All values are escaped automatically producing safer queries.
+.. note:: All values except ``RawSql`` are escaped automatically producing safer queries.
+
+.. warning:: When you use ``RawSql``, you MUST escape the data manually. Failure to do so could result in SQL injections.
 
 $builder->ignore()
 ------------------
@@ -845,7 +847,9 @@ method. Here is an example using an array:
 
 The first parameter is an associative array of values.
 
-.. note:: All values are escaped automatically producing safer queries.
+.. note:: All values except ``RawSql`` are escaped automatically producing safer queries.
+
+.. warning:: When you use ``RawSql``, you MUST escape the data manually. Failure to do so could result in SQL injections.
 
 *************
 Updating Data
@@ -918,7 +922,9 @@ Or you can supply an object:
 
 .. literalinclude:: query_builder/089.php
 
-.. note:: All values are escaped automatically producing safer queries.
+.. note:: All values except ``RawSql`` are escaped automatically producing safer queries.
+
+.. warning:: When you use ``RawSql``, you MUST escape the data manually. Failure to do so could result in SQL injections.
 
 You'll notice the use of the ``$builder->where()`` method, enabling you
 to set the **WHERE** clause. You can optionally pass this information
@@ -947,7 +953,9 @@ Here is an example using an array:
 
 The first parameter is an associative array of values, the second parameter is the where key.
 
-.. note:: All values are escaped automatically producing safer queries.
+.. note:: All values except ``RawSql`` are escaped automatically producing safer queries.
+
+.. warning:: When you use ``RawSql``, you MUST escape the data manually. Failure to do so could result in SQL injections.
 
 .. note:: ``affectedRows()`` won't give you proper results with this method,
     due to the very nature of how it works. Instead, ``updateBatch()``
diff --git a/user_guide_src/source/database/query_builder/076.php b/user_guide_src/source/database/query_builder/076.php
@@ -1,10 +1,17 @@
 <?php
 
+use CodeIgniter\Database\RawSql;
+
 $data = [
-    'title' => 'My title',
-    'name'  => 'My Name',
-    'date'  => 'My date',
+    'id'          => new RawSql('DEFAULT'),
+    'title'       => 'My title',
+    'name'        => 'My Name',
+    'date'        => '2022-01-01',
+    'last_update' => new RawSql('CURRENT_TIMESTAMP()'),
 ];
 
 $builder->insert($data);
-// Produces: INSERT INTO mytable (title, name, date) VALUES ('My title', 'My name', 'My date')
+/* Produces:
+    INSERT INTO mytable (id, title, name, date, last_update)
+    VALUES (DEFAULT, 'My title', 'My name', '2022-01-01', CURRENT_TIMESTAMP())
+*/

Original file line number	Diff line number	Diff line change
`@@ -2698,7 +2698,7 @@ protected function objectToArray($object)`
`2698`	`2698`
`2699`	`2699`	`foreach (get_object_vars($object) as $key => $val) {`
`2700`	`2700`	`// There are some built in keys we need to ignore for this conversion`
`2701`		`- if (! is_object($val) && ! is_array($val) && $key !== '_parent_name') {`
	`2701`	`+ if ((! is_object($val) \|\| $val instanceof RawSql) && ! is_array($val) && $key !== '_parent_name') {`
`2702`	`2702`	`$array[$key] = $val;`
`2703`	`2703`	`}`
`2704`	`2704`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1243,6 +1243,10 @@ public function escape($str)`
`1243`	`1243`	`}`
`1244`	`1244`
`1245`	`1245`	`if (is_string($str) \|\| (is_object($str) && method_exists($str, '__toString'))) {`
	`1246`	`+ if ($str instanceof RawSql) {`
	`1247`	`+ return $str->__toString();`
	`1248`	`+ }`
	`1249`	`+`
`1246`	`1250`	`return "'" . $this->escapeString($str) . "'";`
`1247`	`1251`	`}`
`1248`	`1252`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`
`14`	`14`	`use CodeIgniter\Database\BaseConnection;`
`15`	`15`	`use CodeIgniter\Database\Exceptions\DatabaseException;`
	`16`	`+use CodeIgniter\Database\RawSql;`
`16`	`17`	`use ErrorException;`
`17`	`18`	`use stdClass;`
`18`	`19`
`@@ -181,6 +182,10 @@ public function escape($str)`
`181`	`182`	`}`
`182`	`183`
`183`	`184`	`if (is_string($str) \|\| (is_object($str) && method_exists($str, '__toString'))) {`
	`185`	`+ if ($str instanceof RawSql) {`
	`186`	`+ return $str->__toString();`
	`187`	`+ }`
	`188`	`+`
`184`	`189`	`return pg_escape_literal($this->connID, $str);`
`185`	`190`	`}`
`186`	`191`