doctrine/archived-orm
1
0
Fork 0
mirror of https://github.com/doctrine/orm.git synced 2026-03-23 22:42:18 +01:00
Code Issues 5.3k Packages Projects Releases 100 Wiki Activity

Single quotes should not be added to SQLFilter parameters #7075

New Issue
Open
opened 2026-01-22 15:44:09 +01:00 by admin · 3 comments
admin commented 2026-01-22 15:44:09 +01:00
Owner
Copy Link

Originally created by @geoffroyp on GitHub (Nov 28, 2022).

Bug Report

Q A
BC Break no
Version 2.13.3

Summary

Greetings,

I think there's a weird behaviour in doctrine's filters. Possibly a bug.
When you you pass a parameter to SQLfilter, not only $this->getParameter() returns it as a string, but two simple quotes are automatically added to this value. Therefore, all string methods, operators or casting that we could do on this value do not behave like we would expect.

It's very confusing and could lead to all sort of bugs

Current behavior

in my file where I enable the filter
$this->em->getFilters()->enable('myFilter')->setParameter('myVar', 42);
in the filter

$number = (int) $this->getParameter('myVar);

Then $number is equal to 0, not 42 because it tries to cast "'42'" to int

in my file where I enable the filter
$this->em->getFilters()->enable('myFilter')->setParameter('myVar', null);
in the filter

if ('' === $this->getParameter('myVar')) {
    echo 'myVar is empty';
} else {
    echo 'myVar is not empty';

Then it will say that 'myVar is not empty', because it contains "''", which I would definitely not expect by passing "null" as parameter...

How to reproduce

see above.

Expected behavior

getParameter() should still return a string (even that could be up to debate, but I understand why it has been enforced), but it should NOT add those two single quotes

Originally created by @geoffroyp on GitHub (Nov 28, 2022). ### Bug Report <!-- Fill in the relevant information below to help triage your issue. --> | Q | A |------------ | ------ | BC Break | no | Version | 2.13.3 #### Summary Greetings, I think there's a weird behaviour in doctrine's filters. Possibly a bug. When you you pass a parameter to SQLfilter, not only `$this->getParameter()` returns it as a string, but two simple quotes are automatically added to this value. Therefore, all string methods, operators or casting that we could do on this value do not behave like we would expect. It's very confusing and could lead to all sort of bugs #### Current behavior ---------------------------------------------------------- **in my file where I enable the filter** `$this->em->getFilters()->enable('myFilter')->setParameter('myVar', 42);` **in the filter** ``` $number = (int) $this->getParameter('myVar); ``` Then $number is equal to 0, not 42 because it tries to cast `"'42'"` to int ---------------------------------------------------------- **in my file where I enable the filter** `$this->em->getFilters()->enable('myFilter')->setParameter('myVar', null);` **in the filter** ``` if ('' === $this->getParameter('myVar')) { echo 'myVar is empty'; } else { echo 'myVar is not empty'; ``` Then it will say that 'myVar is not empty', because it contains `"''"`, which I would definitely not expect by passing "null" as parameter... ---------------------------------------------------------- #### How to reproduce see above. #### Expected behavior getParameter() should still return a string (even that could be up to debate, but I understand why it has been enforced), but it should NOT add those two single quotes
admin commented 2026-01-22 15:44:10 +01:00
Author
Owner
Copy Link

@numediaweb commented on GitHub (Jan 31, 2023):

Same issue here: quotes are a good security pass but it's creating issues with filters.

I ended up doing something like:

$expression = 0 == substr($this->getParameter('is_duplicate'), 1, -1) ? 'IS NULL' : 'IS NOT NULL';

return sprintf('%s.is_duplicate %s', $targetTableAlias, $expresion);
@numediaweb commented on GitHub (Jan 31, 2023): Same issue here: quotes are a good security pass but it's creating issues with filters. I ended up doing something like: ``` $expression = 0 == substr($this->getParameter('is_duplicate'), 1, -1) ? 'IS NULL' : 'IS NOT NULL'; return sprintf('%s.is_duplicate %s', $targetTableAlias, $expresion); ```
admin commented 2026-01-22 15:44:11 +01:00
Author
Owner
Copy Link

@luizpcam commented on GitHub (Mar 7, 2024):

same here .... :-(

@luizpcam commented on GitHub (Mar 7, 2024): same here .... :-(
admin commented 2026-01-22 15:44:11 +01:00
Author
Owner
Copy Link

@gregorybesson commented on GitHub (Mar 19, 2024):

+1 :)

@gregorybesson commented on GitHub (Mar 19, 2024): +1 :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
BC Break
Bug
Can't Fix
Deprecation
Documentation
DQL
Duplicate
Failing Test
Hacktoberfest
Improvement
Improvement
Incomplete
Invalid
Missing Tests
New Feature
PR Created
pull-request
Mirrored from GitHub Pull Request
 Question
Regression
Status: Waiting feedback
Waiting feedback
WIP
Won't Fix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
admin
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: doctrine/archived-orm#7075
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?