🐛 Incorrect insertion of FragmentInterface parameters in direct database queries

Open iGrog opened this issue 1 year ago • 1 comments

No duplicates 🥲.

[X] I have searched for a similar issue in our bug tracker and didn't find any solutions.

Database

MySQL

What happened?

        $orderGuids = [Guid::generate()]; // Guid implements FragmentInterface

        $sql = <<<SQL
SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
FROM shipments
WHERE OrderGuid IN (?)
GROUP BY ProductGuid, ShipmentGuid, OrderGuid
SQL;

        $result = $this->database->query($sql, $orderGuids)->fetchAll();

expected query:

    SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
    FROM shipments
    WHERE OrderGuid IN (UUID_TO_BIN('018a02d9-ae58-bd7d-db14-400350da139f'))
    GROUP BY ProductGuid, ShipmentGuid, OrderGuid

actual query: (UUID_TO_BIN is missing)

    SELECT SUM(ShippedQuantity) AS quantity, ProductGuid, ShipmentGuid, OrderGuid
    FROM shipments
    WHERE OrderGuid IN ('018a02d9-ae58-bd7d-db14-400350da139f')
    GROUP BY ProductGuid, ShipmentGuid, OrderGuid

Version

database 2.8.1
PHP 8.3

Mar 21 '24 10:03 iGrog

It's impossible to send value plus function instead of just value in a prepared statement

Mar 28 '24 11:03 roxblnfk