doctrine/archived-orm
1
0
Fork 0
mirror of https://github.com/doctrine/orm.git synced 2026-03-23 22:42:18 +01:00
Code Issues 5.3k Packages Projects Releases 100 Wiki Activity

Statement in Where-Clause are not wrapped in brackets anymore #6679

New Issue
Closed
opened 2026-01-22 15:36:54 +01:00 by admin · 2 comments
admin commented 2026-01-22 15:36:54 +01:00
Owner
Copy Link

Originally created by @LinkingYou on GitHub (Apr 6, 2021).

There is a critical change in doctrine/orm since version 2.8.3.

Here is simple example for a query with multiple where expressions:

$qb = $em->createQueryBuilder()
            ->from(Customer::class, 'customer')
            ->select('customer')
            ->andWhere('customer.active = true')
            ->andWhere('customer.firstName like ?1 or customer.lastName like ?1')
            ->setParameter(1, '%' . $searchitem . '%')
        ;

In Version 2.8.2 this results in:

SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND (c0_.first_name LIKE ? OR c0_.last_name LIKE ?)

... but now in version 2.8.3 i get this:

SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND c0_.first_name LIKE ? OR c0_.last_name LIKE ?

In my opinion this is very critical. This has led to security problems in several of my applications.

Originally created by @LinkingYou on GitHub (Apr 6, 2021). There is a **critical** change in doctrine/orm since version 2.8.3. Here is simple example for a query with multiple where expressions: ``` $qb = $em->createQueryBuilder() ->from(Customer::class, 'customer') ->select('customer') ->andWhere('customer.active = true') ->andWhere('customer.firstName like ?1 or customer.lastName like ?1') ->setParameter(1, '%' . $searchitem . '%') ; ``` In Version **2.8.2** this results in: `SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND (c0_.first_name LIKE ? OR c0_.last_name LIKE ?)` ... but now in version **2.8.3** i get this: `SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND c0_.first_name LIKE ? OR c0_.last_name LIKE ?` In my opinion this is very critical. This has led to security problems in several of my applications.
admin added the BugBC Break labels 2026-01-22 15:36:54 +01:00
admin closed this issue 2026-01-22 15:36:55 +01:00
admin commented 2026-01-22 15:36:56 +01:00
Author
Owner
Copy Link

@beberlei commented on GitHub (Apr 6, 2021):

Uh, will take a look

@beberlei commented on GitHub (Apr 6, 2021): Uh, will take a look
admin commented 2026-01-22 15:36:56 +01:00
Author
Owner
Copy Link

@beberlei commented on GitHub (Apr 6, 2021):

Indeed, and its already fixed https://github.com/doctrine/orm/pull/8591 - i will release 2.8.4 immediately.

@beberlei commented on GitHub (Apr 6, 2021): Indeed, and its already fixed https://github.com/doctrine/orm/pull/8591 - i will release 2.8.4 immediately.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
BC Break
Bug
Can't Fix
Deprecation
Documentation
DQL
Duplicate
Failing Test
Hacktoberfest
Improvement
Improvement
Incomplete
Invalid
Missing Tests
New Feature
PR Created
pull-request
Mirrored from GitHub Pull Request
 Question
Regression
Status: Waiting feedback
Waiting feedback
WIP
Won't Fix
No Label BC Break Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
admin
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: doctrine/archived-orm#6679
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?