Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.6] Fix postgres blueprint compileComment to proper escape its content #22453

Merged
merged 1 commit into from
Dec 18, 2017
Merged

[5.6] Fix postgres blueprint compileComment to proper escape its content #22453

merged 1 commit into from
Dec 18, 2017

Conversation

mfn
Copy link
Contributor

@mfn mfn commented Dec 16, 2017
edited
Loading

Only affects 5.6, code is new

The implementation in #21855 suffers from a slight error when trying to escape the columns comment.

By default, single quotes in Postgres aren't escaped with a backslash but with doubling the single quote.

Instead of … 'test '\ quote' it has to be … 'test '' quote'. Couldn't think of a better way than to use str_replace

/cc @andersondanilo

References:

@mfn mfn changed the title Fix postgres blueprint compileComment to proper escape its content [5.6] Fix postgres blueprint compileComment to proper escape its content Dec 16, 2017
@taylorotwell
Copy link
Member

Will removing addslashes cause other problems? Why was it removed?

@mfn
Copy link
Contributor Author

mfn commented Dec 17, 2017

Will removing addslashes cause other problems? Why was it removed?

Because it will transform a string like foo ' bar into foo \' bar and postgres does not escape single quotes with \ but ' i.e. to escape a single quote ' you have to use two single quotes => ''.

It was introduced with #21855 recently but it's just wrong to use it. If you have comments with single quotes and try it in postgres it will 💥

And, as the PHP manual too states:

addslashes() must not be used with PostgreSQL.

The logic of that method simply does nothing useful in the world of postgres (it's all in the PRs description).

@Miguel-Serejo
Copy link

Are there cases where you might want to keep an unescaped single quote or where a single quote is already escaped in the input string?

@mfn
Copy link
Contributor Author

mfn commented Dec 18, 2017

where a single quote is already escaped in the input string?

Only if you it manuall…? 🤷‍♀️

An unescaped single quote in a single-quoted string in a pgsql statement is an error.

Bueprints ->comment() is properly escaped with this PR, whereas before it breaks when single quotes are contained in a comment.

If you talk about having two literal single quotes: then yes, each of them gets escaped by another single quotes. There postgres rules, not mine 😄

Again, this PR fixes this PR which was recently introduced.

The unit it tests in the Laravel framework don't have integration directly but I verified locally that before this PR it breaks with an SQL error, afterwards it works.

@Miguel-Serejo
Copy link

Thanks for clarifying. I don't have much experience with postgres but have been looking into it.

So, before this PR, if a user tries to manually escape their quotes, the code just fails. With this PR, their quotes get doubled. I guess you wouldn't be expected to escape the quotes yourself so that's probably fine?

Are double-quoted identifiers allowed in comments, and if so, would single quotes need to be escaped in them? For example, if my comment includes the identifier "test o'clock", this would turn that into "test o''clock". Would that still be fine?

@mfn
Copy link
Contributor Author

mfn commented Dec 18, 2017

So, before this PR, if a user tries to manually escape their quotes, the code just fails. With this PR, their quotes get doubled. I guess you wouldn't be expected to escape the quotes yourself so that's probably fine?

Exactly!

Are double-quoted identifiers allowed in comments, and if so, would single quotes need to be escaped in them? For example, if my comment includes the identifier "test o'clock", this would turn that into "test o''clock". Would that still be fine?

Please make yourself familiar with postgres first, double quotes are only applicable to "identifiers" in postgres. Strings can be only quoted with single quotes. There's also an extended form of quoting using E'…' but this IMHO isn't relevant here.

This is usually never an issue with any code per se, as everything is using prepared statements/bound parameters.
But this is the Blueprints, different context.

@Miguel-Serejo
Copy link

double quotes are only applicable to "identifiers" in postgres.

I am aware of that, I'm asking if identifiers are allowed as a part of comments.
For example, adapting an example from the psql documentation:

COMMENT ON TABLE mytable IS 'This is my table and the column "test o'clock" is really important.';

And now that I've actually typed that out, I realize it's invalid as the single quote in the identifier would have to be escaped, which this PR would do.

Thanks for the additional clarification and sorry if it sounded like I was trying to question the validity of this PR, I just wanted to understand this properly.

@taylorotwell taylorotwell merged commit 18f7ede into laravel:master Dec 18, 2017
@mfn
Copy link
Contributor Author

mfn commented Dec 18, 2017

Thanks for the additional clarification and sorry if it sounded like I was trying to question the validity of this PR, I just wanted to understand this properly.

It sounded that way, but I should not have assumed it! Apologies for that and thanks for the feedback!

@mfn mfn deleted the blueprint-pgsql-fix-column-comment branch December 18, 2017 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mfn @taylorotwell @Miguel-Serejo @GrahamCampbell