DDC-344: Table names are not escaped #428

New Issue

2026-01-22T12:37:56+01:00

admin commented

2026-01-22 12:37:56 +01:00

Originally created by @doctrinebot on GitHub (Feb 17, 2010).

Jira issue originally created by user nicokaiser:

Table names (and maybe also attribute names?) are not escaped when SQL is generated.
This means, if you create something like this

/****
 * @Entity
 * @Table(name="groups")
 */
class Group
...

the generated SQL code will be "CREATE TABLE group (id INT...", which fails because "group" is a reserved keyword. It should be escaped with backticks: "CREATE TABLE group (id INT..."

Originally created by @doctrinebot on GitHub (Feb 17, 2010). Jira issue originally created by user nicokaiser: Table names (and maybe also attribute names?) are not escaped when SQL is generated. This means, if you create something like this ``` /**** * @Entity * @Table(name="groups") */ class Group ... ``` the generated SQL code will be "CREATE TABLE group (id INT...", which fails because "group" is a reserved keyword. It should be escaped with backticks: "CREATE TABLE `group` (id INT..."

admin added the Bug label 2026-01-22 12:37:56 +01:00

admin closed this issue

2026-01-22 12:37:57 +01:00

admin commented

2026-01-22 12:37:58 +01:00

@doctrinebot commented on GitHub (Feb 18, 2010):

Comment created by shurakai:

You need to quote the tablename by yourself:

http://www.doctrine-project.org/documentation/manual/2_0/en/basic-mapping:quoting-reserved-words

@doctrinebot commented on GitHub (Feb 18, 2010): Comment created by shurakai: You need to quote the tablename by yourself: http://www.doctrine-project.org/documentation/manual/2_0/en/basic-mapping:quoting-reserved-words

admin commented

2026-01-22 12:37:58 +01:00

@doctrinebot commented on GitHub (Feb 18, 2010):

Comment created by romanb:

Like Christian said, you can mark individial table or column names for quoting in the ORM.

In the DBAL, nothing is quoted automatically to avoid all kinds of issues. When using the DBAL directly you can quote yourself (quoteIdentifier()).

So this is by design. For your concrete problem you can use @Table(name="group") but the much better option is to avoid reserved words completely.

@doctrinebot commented on GitHub (Feb 18, 2010): Comment created by romanb: Like Christian said, you can mark individial table or column names for quoting in the ORM. In the DBAL, nothing is quoted automatically to avoid all kinds of issues. When using the DBAL directly you can quote yourself (quoteIdentifier()). So this is by design. For your concrete problem you can use @Table(name="`group`") but the much better option is to avoid reserved words completely.

admin commented

2026-01-22 12:37:58 +01:00

@doctrinebot commented on GitHub (Feb 18, 2010):

Issue was closed with resolution "Invalid"

@doctrinebot commented on GitHub (Feb 18, 2010): Issue was closed with resolution "Invalid"

admin commented

2026-01-22 12:37:58 +01:00

@doctrinebot commented on GitHub (Feb 18, 2010):

Comment created by nicokaiser:

Oh, ok. So is there a technical reason for this? Why not quote all table / attribute names automatically in Doctrine?

@doctrinebot commented on GitHub (Feb 18, 2010): Comment created by nicokaiser: Oh, ok. So is there a technical reason for this? Why not quote all table / attribute names automatically in Doctrine?

admin commented

2026-01-22 12:38:00 +01:00

@doctrinebot commented on GitHub (Feb 18, 2010):

Comment created by romanb:

Because that would be overkill and unnecessarily clutters the SQL. More than that, identifier quoting can fail on certain platforms under certain conditions with certain input ... Lastly, it would add quite some code bloat to quote everything because not all SQL goes down 1 execution path.

All these things together with the fact that identifier quoting is considered a workaround led to the current implementation. We discourage identifier quoting, but still make it possible selectively.

We've had the "quote nothing or everything" approach in D1 with a simple switch and it was/is full of problems. Apart from the simple fact that you need to quote everything as soon as you have a single, reserved column or table name anywhere. Thats just overkill.

@doctrinebot commented on GitHub (Feb 18, 2010): Comment created by romanb: Because that would be overkill and unnecessarily clutters the SQL. More than that, identifier quoting can fail on certain platforms under certain conditions with certain input ... Lastly, it would add quite some code bloat to quote everything because not all SQL goes down 1 execution path. All these things together with the fact that identifier quoting is considered a workaround led to the current implementation. We discourage identifier quoting, but still make it possible selectively. We've had the "quote nothing or everything" approach in D1 with a simple switch and it was/is full of problems. Apart from the simple fact that you need to quote **everything** as soon as you have a single, reserved column or table name anywhere. Thats just overkill.

admin referenced this issue

2026-01-22 15:58:46 +01:00

[PR #428] [MERGED] Add QueryBuilder::addCriteria() for Criteria - QueryBuilder bridge #8181

admin referenced this issue

2026-01-22 15:58:47 +01:00

[PR #428] Add QueryBuilder::addCriteria() for Criteria - QueryBuilder bridge #8184

Sign in to join this conversation.