Merge pull request #5277 from kenjis/fix-escape-negative-integers

kenjis · web-flow · commit 7aa7fcf5ad4a · 2021-11-20T19:42:35.000+09:00
Fix db escape negative integers
diff --git a/system/Database/BaseConnection.php b/system/Database/BaseConnection.php
@@ -565,7 +565,7 @@ abstract protected function execute(string $sql);
      *
      * @param mixed ...$binds
      *
-     * @return BaseResult|bool|Query
+     * @return BaseResult|bool|Query BaseResult when “read” type query, bool when “write” type query, Query when prepared query
      *
      * @todo BC set $queryClass default as null in 4.1
      */
@@ -955,6 +955,8 @@ public function getConnectDuration(int $decimals = 6): string
      * the correct identifiers.
      *
      * @param array|string $item
+     * @param bool         $prefixSingle Prefix an item with no segments?
+     * @param bool         $fieldExists  Supplied $item contains a field name?
      *
      * @return array|string
      */
@@ -1200,10 +1202,6 @@ public function escape($str)
             return ($str === false) ? 0 : 1;
         }
 
-        if (is_numeric($str) && $str < 0) {
-            return "'{$str}'";
-        }
-
         return $str ?? 'NULL';
     }
 
diff --git a/tests/system/Database/BaseQueryTest.php b/tests/system/Database/BaseQueryTest.php
@@ -345,6 +345,38 @@ public function testSetQueryBindsWithSetEscapeFalse()
         $this->assertSame($expected, $query->getQuery());
     }
 
+    /**
+     * @see https://github.com/codeigniter4/CodeIgniter4/issues/4973
+     */
+    public function testSetQueryBindsWithSetEscapeNegativeIntegers()
+    {
+        $query = new Query($this->db);
+
+        $query->setQuery(
+            'SELECT * FROM product WHERE date_pickup < DateAdd(month, ?, Convert(date, GetDate())',
+            [-6],
+            true
+        );
+
+        $expected = 'SELECT * FROM product WHERE date_pickup < DateAdd(month, -6, Convert(date, GetDate())';
+
+        $this->assertSame($expected, $query->getQuery());
+    }
+
+    public function testSetQueryNamedBindsWithNegativeIntegers()
+    {
+        $query = new Query($this->db);
+
+        $query->setQuery(
+            'SELECT * FROM product WHERE date_pickup < DateAdd(month, :num:, Convert(date, GetDate())',
+            ['num' => -6]
+        );
+
+        $expected = 'SELECT * FROM product WHERE date_pickup < DateAdd(month, -6, Convert(date, GetDate())';
+
+        $this->assertSame($expected, $query->getQuery());
+    }
+
     /**
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/2762
      */
diff --git a/tests/system/Database/Live/EscapeTest.php b/tests/system/Database/Live/EscapeTest.php
@@ -38,9 +38,9 @@ protected function setUp(): void
      *
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/606
      */
-    public function testEscapeProtectsNegativeNumbers()
+    public function testDoesNotEscapeNegativeNumbers()
     {
-        $this->assertSame("'-100'", $this->db->escape(-100));
+        $this->assertSame(-100, $this->db->escape(-100));
     }
 
     public function testEscape()

Original file line number	Diff line number	Diff line change
`@@ -565,7 +565,7 @@ abstract protected function execute(string $sql);`
`565`	`565`	`*`
`566`	`566`	`* @param mixed ...$binds`
`567`	`567`	`*`
`568`		`- * @return BaseResult\|bool\|Query`
	`568`	`+ * @return BaseResult\|bool\|Query BaseResult when “read” type query, bool when “write” type query, Query when prepared query`
`569`	`569`	`*`
`570`	`570`	`* @todo BC set $queryClass default as null in 4.1`
`571`	`571`	`*/`
`@@ -955,6 +955,8 @@ public function getConnectDuration(int $decimals = 6): string`
`955`	`955`	`* the correct identifiers.`
`956`	`956`	`*`
`957`	`957`	`* @param array\|string $item`
	`958`	`+ * @param bool $prefixSingle Prefix an item with no segments?`
	`959`	`+ * @param bool $fieldExists Supplied $item contains a field name?`
`958`	`960`	`*`
`959`	`961`	`* @return array\|string`
`960`	`962`	`*/`
`@@ -1200,10 +1202,6 @@ public function escape($str)`
`1200`	`1202`	`return ($str === false) ? 0 : 1;`
`1201`	`1203`	`}`
`1202`	`1204`
`1203`		`- if (is_numeric($str) && $str < 0) {`
`1204`		`- return "'{$str}'";`
`1205`		`- }`
`1206`		`-`
`1207`	`1205`	`return $str ?? 'NULL';`
`1208`	`1206`	`}`
`1209`	`1207`
Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,9 @@ protected function setUp(): void`
`38`	`38`	`*`
`39`	`39`	`* @see https://github.com/codeigniter4/CodeIgniter4/issues/606`
`40`	`40`	`*/`
`41`		`- public function testEscapeProtectsNegativeNumbers()`
	`41`	`+ public function testDoesNotEscapeNegativeNumbers()`
`42`	`42`	`{`
`43`		`- $this->assertSame("'-100'", $this->db->escape(-100));`
	`43`	`+ $this->assertSame(-100, $this->db->escape(-100));`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`public function testEscape()`