Phabric icon indicating copy to clipboard operation
Phabric copied to clipboard
verified publisher icon woledzki

DB Value escaping

Open benwaine opened this issue 14 years ago • 7 comments

Currently no escaping.

Have to think how to implement this / also is it necessary.

Not a customer facing?

benwaine avatar Aug 16 '11 22:08 benwaine

I think it makes sense to leave doctrine / the abstract concept of a datasource to be repsonsible for this bit.

glenjamin avatar Aug 18 '11 10:08 glenjamin

I agree with @glenjamin seems to me that is the responsibility of a database abstraction layer.

marijn avatar Aug 18 '11 16:08 marijn

Unfortunately DBAL doesn't escape values automatically. This would require more meta data about the values in question than is available to the DBAL.

Doctrine ORM can achieve auto escaping because each table is described in xml, ymal or PHP annotations.

benwaine avatar Aug 20 '11 10:08 benwaine

Damm tat comment and close button is to close to just 'close' :D

benwaine avatar Aug 20 '11 10:08 benwaine

The inputs are all known, so I guess this isn't really much of a problem. If there are any fields/values which need to be escaped then the test implementor could use a transformation.

glenjamin avatar Aug 20 '11 10:08 glenjamin

@benwaine first, you need to extract DB-oriented logic into separate interface. All escaping should happen here. For example, you have 2 connection interface implementations:

  1. DoctrineDbalConnection - will escape all it's values before updating/inserting
  2. DoctrineOrmConnection - will not do anything with values, as it's ORM job in this case

everzet avatar Aug 21 '11 14:08 everzet

As part of the data source abstraction I have moved Doctrine DBAL into a separate adapter implementing a data source interface.

I'll be able to add the escaping in at this point.

benwaine avatar Aug 22 '11 08:08 benwaine