laravelBatch icon indicating copy to clipboard operation
laravelBatch copied to clipboard

Published 20 hours ago verified publisher icon mavinoo

creates invalid query with quotes in json

Open christophmayrhofer opened this issue 2 years ago • 2 comments

mysql requires \\ to escape " in a query

the correct query should be:

UPDATE `test_rows`
SET `test_column` = '{"name":"some \\"quoted\\" word"}' 
WHERE `id` = 1;

but running this:

$data = [
 "name" => 'some "quoted" word'
];

$updates= [[
'id' => 1,
'test_column' => json_encode($data)
]];

batch()->update(new TestRow(), $updates, 'id');

results in this (invalid) query:

UPDATE `test_rows`
SET `test_column` = '{"name":"some \"quoted\" word"}' 
WHERE `id` = 1;

Another concern: The code uses string concatenation to create the when then query. Isn't this a risk for SQL injections? Why doesn't it a parameterized query?

christophmayrhofer avatar Sep 08 '21 17:09 christophmayrhofer

I'm also having the same problem. Was trying to insert the following:

{"type":"NAIL_POLISH","size":"8 ml (Pack of 25)","color":"Ladies' day","productGroup":"Beauty","itemLength":225,"itemWidth":143,"part_type":"LMPL-SET"}

The single quote in the Ladies' day is causing a problem but when I tried it using usual means it worked:

$array = [
        'type' => 'NAIL_POLISH',
        'size' => '8 ml (Pack of 25)',
        'color' => "Ladies' day",
        'productGroup' => 'Beauty',
        'itemLength' => '225',
        'itemWidth' => '143',
        'part_type' => 'LMPL-SET',
];

$str = json_encode($array);
DB::table('test_table')
        ->insert([
            'json_str' => $str,
        ]);
return 'ok';

This really needs fixing.

anchetaWern avatar May 24 '22 06:05 anchetaWern

image caused by here

zqh375 avatar Jul 11 '23 06:07 zqh375