Can't escape quote in orderby with a function #7373

New Issue

Closed

opened 2026-01-22 15:50:49 +01:00 by admin · 8 comments

admin commented 2026-01-22 15:50:49 +01:00

Owner

Copy Link

Originally created by @aleblanc on GitHub (May 16, 2024).

When I add a quote in a function in orderBy like this :

$value = " string with quote ' that make error ";
$queryBuilder->orderBy('INSTR(field, '.$this->getEntityManager()->getConnection()->quote($value).')');

This code generate this error :

"[Syntax Error] line 0, col 131: Error: Expected Doctrine\\ORM\\Query\\Lexer::T_CLOSE_PARENTHESIS, got 'that'"

NB: If I remove the quote in the string the query works.

Environnement :

            "name": "gedmo/doctrine-extensions",
            "version": "v3.15.0",

            "name": "doctrine/orm",
            "version": "2.19.5",

Originally created by @aleblanc on GitHub (May 16, 2024). When I add a quote in a function in orderBy like this : ```php $value = " string with quote ' that make error "; $queryBuilder->orderBy('INSTR(field, '.$this->getEntityManager()->getConnection()->quote($value).')'); ``` This code generate this error : <pre> "[Syntax Error] line 0, col 131: Error: Expected Doctrine\\ORM\\Query\\Lexer::T_CLOSE_PARENTHESIS, got 'that'" </pre> NB: If I remove the quote in the string the query works. Environnement : <pre> "name": "gedmo/doctrine-extensions", "version": "v3.15.0", "name": "doctrine/orm", "version": "2.19.5", </pre>

admin closed this issue 2026-01-22 15:50:49 +01:00

admin commented 2026-01-22 15:50:49 +01:00

Author

Owner

Copy Link

@greg0ire commented on GitHub (May 16, 2024):

You are using a DBAL connection method to quote a string that you insert in an ORM query. That seems wrong.

@greg0ire commented on GitHub (May 16, 2024): You are using a DBAL connection method to quote a string that you insert in an ORM query. That seems wrong.

admin commented 2026-01-22 15:50:50 +01:00

Author

Owner

Copy Link

@aleblanc commented on GitHub (May 16, 2024):

I have the same error if I escape the quote manually whitout DBAL connection method :

$queryBuilder->orderBy('INSTR(field, \'string with quote \\\' that make error \')');

@aleblanc commented on GitHub (May 16, 2024): I have the same error if I escape the quote manually whitout DBAL connection method : <pre> $queryBuilder->orderBy('INSTR(field, \'string with quote \\\' that make error \')'); </pre>

admin commented 2026-01-22 15:50:50 +01:00

Author

Owner

Copy Link

@greg0ire commented on GitHub (May 16, 2024):

Have you tried using a prepared statement instead?

@greg0ire commented on GitHub (May 16, 2024): Have you tried using a prepared statement instead?

admin commented 2026-01-22 15:50:50 +01:00

Author

Owner

Copy Link

@aleblanc commented on GitHub (May 16, 2024):

No, I can't use prepare in my use case, but I think it would work without queryBuilder.

I have tried also with setParameter but I have have this error :

Too many parameters: the query defines 1 parameters and you bound 2

Maybe the problem come from Lexer because if I do that, that work :

$queryBuilder->orderBy('INSTR(field, \'string with quote that make error \')');

Maybe Lexer seems to consider \' as the end of a string.

@aleblanc commented on GitHub (May 16, 2024): No, I can't use prepare in my use case, but I think it would work without queryBuilder. I have tried also with setParameter but I have have this error : <pre> Too many parameters: the query defines 1 parameters and you bound 2 </pre> Maybe the problem come from Lexer because if I do that, that work : <pre> $queryBuilder->orderBy('INSTR(field, \'string with quote that make error \')'); </pre> Maybe Lexer seems to consider \\' as the end of a string.

admin commented 2026-01-22 15:50:51 +01:00

Author

Owner

Copy Link

@greg0ire commented on GitHub (May 16, 2024):

By prepared statement I meant a query that uses parameters. It's IMO better than attempting to do the escaping yourself.

I have tried also with setParameter but I have have this error :

You must be doing something wrong, because I have tried modifying 3d9af3187f/tests/Tests/ORM/Functional/OneToOneInverseSideLoadAfterDqlQueryTest.php (L45)

so that it uses inverse'a as a parameter, and it seems to parse just fine.

@greg0ire commented on GitHub (May 16, 2024): By prepared statement I meant a query that uses parameters. It's IMO better than attempting to do the escaping yourself. > I have tried also with setParameter but I have have this error : You must be doing something wrong, because I have tried modifying https://github.com/doctrine/orm/blob/3d9af3187f59930972e7fcb90a1d8059a37b8032/tests/Tests/ORM/Functional/OneToOneInverseSideLoadAfterDqlQueryTest.php#L45 so that it uses `inverse'a` as a parameter, and it seems to parse just fine.

admin commented 2026-01-22 15:50:51 +01:00

Author

Owner

Copy Link

@aleblanc commented on GitHub (May 16, 2024):

Your exemple don't utilise a function, in my exemple I use a function INSTR in the orderby :
$queryBuilder->orderBy('INSTR(field, :value )')->setParameter('value', 'string with quote that make error');

@aleblanc commented on GitHub (May 16, 2024): Your exemple don't utilise a function, in my exemple I use a function INSTR in the orderby : $queryBuilder->orderBy('INSTR(field, :value )')->setParameter('value', 'string with quote that make error');

admin commented 2026-01-22 15:50:51 +01:00

Author

Owner

Copy Link

@greg0ire commented on GitHub (May 16, 2024):

Well I just tried this:

        $fetchedInverse = $this
            ->_em
            ->createQueryBuilder()
            ->select('inverse')
            ->from(InverseSide::class, 'inverse')
            ->andWhere('inverse.id = LOWER(:id)')
            ->setParameter('id', "inverse'a")
            ->getQuery()
            ->getSingleResult();

It parses fine as well. I also tried

        $fetchedInverse = $this
            ->_em
            ->createQueryBuilder()
            ->select('inverse')
            ->from(InverseSide::class, 'inverse')
            ->andWhere('inverse.id = :id')
            ->setParameter('id', 'inverse')
            ->orderBy('LOWER(:other_param)', 'ASC')
            ->setParameter('other_param', "a'b")
            ->getQuery()
            ->getSingleResult();

That parses just right as well.

@greg0ire commented on GitHub (May 16, 2024): Well I just tried this: ```php $fetchedInverse = $this ->_em ->createQueryBuilder() ->select('inverse') ->from(InverseSide::class, 'inverse') ->andWhere('inverse.id = LOWER(:id)') ->setParameter('id', "inverse'a") ->getQuery() ->getSingleResult(); ``` It parses fine as well. I also tried ```php $fetchedInverse = $this ->_em ->createQueryBuilder() ->select('inverse') ->from(InverseSide::class, 'inverse') ->andWhere('inverse.id = :id') ->setParameter('id', 'inverse') ->orderBy('LOWER(:other_param)', 'ASC') ->setParameter('other_param', "a'b") ->getQuery() ->getSingleResult(); ``` That parses just right as well.

admin commented 2026-01-22 15:50:52 +01:00

Author

Owner

Copy Link

@aleblanc commented on GitHub (May 16, 2024):

Indeed with the setParameters, it works, I had a problem in my loop (who remove the orderby parameter), thanks for the help

@aleblanc commented on GitHub (May 16, 2024): Indeed with the setParameters, it works, I had a problem in my loop (who remove the orderby parameter), thanks for the help

admin referenced this issue 2026-01-22 16:07:36 +01:00

[PR #7373] Remove remnants of yaml from documentation #10455

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

3.6.x

2.20.x

dependabot/github_actions/2.20.x/doctrine/dot-github/dot-github/workflows/composer-lint.yml-14.0.0

3.7.x

4.0.x

2.21.x

old-prototype-3.x

3.6.2

3.6.1

3.6.0

2.20.9

3.5.8

3.5.7

3.5.6

3.5.5

2.20.8

3.5.4

3.5.3

2.20.7

3.5.2

2.20.6

3.5.1

3.5.0

3.4.4

3.4.3

3.4.2

2.20.5

3.4.1

3.4.0

3.3.4

2.20.4

3.3.3

2.20.3

3.3.2

2.20.2

3.3.1

2.20.1

3.3.0

3.2.3

2.20.0

2.19.8

3.2.2

2.19.7

3.2.1

2.19.6

3.2.0

3.1.4

3.1.3

2.19.5

3.1.2

2.19.4

3.1.1

2.19.3

2.19.2

2.19.1

3.1.0

2.19.0

3.0.3

2.18.3

3.0.2

2.18.2

3.0.1

2.18.1

3.0.0

2.18.0

2.17.5

3.0.0-RC1

2.17.4

2.17.3

2.17.2

2.17.1

3.0.0-beta2

2.17.0

2.16.3

3.0.0-beta1

2.16.2

2.16.1

2.16.0

2.15.5

2.15.4

2.15.3

2.15.2

2.15.1

2.15.0

2.14.3

2.14.2

2.14.1

2.14.0

2.13.5

2.13.4

2.13.3

2.13.2

2.13.1

2.13.0

2.12.4

2.12.3

2.12.2

2.12.1

2.12.0

2.11.3

2.11.2

2.11.1

2.11.0

2.10.5

2.10.4

2.10.3

2.10.2

2.10.1

2.10.0

2.9.6

2.9.5

2.9.4

2.9.3

2.9.2

2.9.1

2.9.0

2.8.5

2.8.4

2.8.3

2.8.2

2.8.1

2.8.0

2.7.5

2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.14

v2.5.13

v2.5.12

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.4.8

v2.5.1

v2.5.0

v2.5.0-RC2

v2.5.0-RC1

v2.5.0-beta1

v2.5.0-alpha2

v2.5.0-alpha1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.3.6

v2.4.2

2.3.5

v2.4.1

v2.4.0

2.4.0-RC2

2.4.0-RC1

2.4.0-BETA2

2.3.4

2.3.3

2.4.0-BETA1

2.3.2

2.3.1

2.3.0

2.3.0-RC4

2.3.0-RC3

2.3.0-RC2

2.2.3

2.3.0-RC1

2.3.0-BETA1

2.1.7

2.2.2

2.2.1

2.1.6

2.2.0

2.2.0-RC1

2.2.0-BETA2

2.2.0-BETA1

2.1.5

2.1.4

2.1.3

2.1.2

2.1.1

2.0.7

2.1.0

2.1.0RC3

2.1.0RC2

2.1.0RC1

2.0.6

2.1.0BETA1

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

2.0.0RC2

2.0.0RC1

2.0.0-BETA4

2.0.0-BETA3

2.0.0-BETA2

2.0.0-BETA1

Labels

Clear labels

BC Break

Bug

Can't Fix

Deprecation

Documentation

DQL

Duplicate

Failing Test

Hacktoberfest

Improvement

Improvement

Incomplete

Invalid

Missing Tests

New Feature

PR Created

pull-request

Mirrored from GitHub Pull Request

Question

Regression

Status: Waiting feedback

Waiting feedback

WIP

Won't Fix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

admin

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: doctrine/archived-orm#7373