Skip to content

Fix xPDOQuery::set() string quoting and introduce xPDOExpression for query layer #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
opengeek merged 1 commit into from
Apr 7, 2026
Merged

Fix xPDOQuery::set() string quoting and introduce xPDOExpression for query layer #280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion src/xPDO/Om/mysql/xPDOQuery.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ public function construct() {
$this->select('*');
}
foreach ($this->query['columns'] as $alias => $column) {
if ($column instanceof \xPDO\Om\xPDOExpression) {
$columns[]= $column->getExpression();
continue;
}
$ignorealias = is_int($alias);
$escape = !preg_match('/\bAS\b/i', $column) && !preg_match('/\./', $column) && !preg_match('/\(/', $column);
if ($escape) {
Expand Down Expand Up @@ -78,7 +82,9 @@ public function construct() {
foreach ($this->query['set'] as $setKey => $setVal) {
$value = $setVal['value'];
$type = $setVal['type'];
if ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
if ($value instanceof \xPDO\Om\xPDOExpression) {
$value = $value->getExpression();
} elseif ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
$value = $this->xpdo->quote($value, $type);
} elseif ($value === null) {
$value = 'NULL';
Expand Down
8 changes: 7 additions & 1 deletion src/xPDO/Om/pgsql/xPDOQuery.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ public function construct() {
$this->select('*');
}
foreach ($this->query['columns'] as $alias => $column) {
if ($column instanceof \xPDO\Om\xPDOExpression) {
$columns[]= $column->getExpression();
continue;
}
$ignorealias = is_int($alias);
$escape = !preg_match('/\bAS\b/i', $column) && !preg_match('/\./', $column) && !preg_match('/\(/', $column);
if ($escape) {
Expand Down Expand Up @@ -69,7 +73,9 @@ public function construct() {
foreach ($this->query['set'] as $setKey => $setVal) {
$value = $setVal['value'];
$type = $setVal['type'];
if ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
if ($value instanceof \xPDO\Om\xPDOExpression) {
$value = $value->getExpression();
} elseif ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
$value = $this->xpdo->quote($value, $type);
} elseif ($value === null) {
$value = 'NULL';
Expand Down
8 changes: 7 additions & 1 deletion src/xPDO/Om/sqlite/xPDOQuery.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ public function construct() {
$this->select('*');
}
foreach ($this->query['columns'] as $alias => $column) {
if ($column instanceof \xPDO\Om\xPDOExpression) {
$columns[]= $column->getExpression();
continue;
}
$ignorealias = is_int($alias);
$escape = !preg_match('/\bAS\b/i', $column) && !preg_match('/\./', $column) && !preg_match('/\(/', $column);
if ($escape) {
Expand Down Expand Up @@ -78,7 +82,9 @@ public function construct() {
foreach ($this->query['set'] as $setKey => $setVal) {
$value = $setVal['value'];
$type = $setVal['type'];
if ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
if ($value instanceof \xPDO\Om\xPDOExpression) {
$value = $value->getExpression();
} elseif ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
$value = $this->xpdo->quote($value, $type);
} elseif ($value === null) {
$value = 'NULL';
Expand Down
121 changes: 73 additions & 48 deletions src/xPDO/Om/sqlsrv/xPDOQuery.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

namespace xPDO\Om\sqlsrv;

use xPDO\Om\xPDOExpression;
use xPDO\Om\xPDOQueryCondition;
use xPDO\xPDO;

Expand Down Expand Up @@ -57,14 +58,17 @@ public function parseConditions($conditions, $conjunction = xPDOQuery::SQL_AND)
if (is_array($val)) {
$result[]= $this->parseConditions($val, $conjunction);
continue;
} elseif ($val instanceof xPDOExpression) {
$result[]= new xPDOQueryCondition(array('sql' => $val->getExpression(), 'binding' => null, 'conjunction' => $conjunction));
continue;
} elseif ($this->isConditionalClause($val)) {
$result[]= new xPDOQueryCondition(array('sql' => $val, 'binding' => null, 'conjunction' => $conjunction));
continue;
} else {
$this->xpdo->log(xPDO::LOG_LEVEL_ERROR, "Error parsing condition with key {$key}: " . print_r($val, true));
continue;
}
} elseif (is_scalar($val) || is_array($val) || $val === null) {
} elseif (is_scalar($val) || is_array($val) || $val === null || $val instanceof xPDOExpression) {
$alias= $command == 'SELECT' ? $this->_class : trim($this->xpdo->getTableName($this->_class, false), $this->xpdo->_escapeCharOpen . $this->xpdo->_escapeCharClose);
$operator= '=';
$conj = $conjunction;
Expand All @@ -83,62 +87,77 @@ public function parseConditions($conditions, $conjunction = xPDOQuery::SQL_AND)
$alias= trim($key_parts[0], " {$this->xpdo->_escapeCharOpen}{$this->xpdo->_escapeCharClose}");
$key= $key_parts[1];
}
if ($val === null) {
$type= \PDO::PARAM_NULL;
if (!in_array($operator, array('IS', 'IS NOT'))) {
$operator= $operator === '!=' ? 'IS NOT' : 'IS';
if (!empty($key)) {
if ($val instanceof xPDOExpression) {
$type= null;
$sql = $this->xpdo->escape($alias) . '.' . $this->xpdo->escape($key) . ' ' . $operator . ' ' . $val->getExpression();
$result[]= new xPDOQueryCondition(array('sql' => $sql, 'binding' => null, 'conjunction' => $conj));
continue;
}
}
elseif (isset($fieldMeta[$key]) && !in_array($fieldMeta[$key]['phptype'], $this->_quotable)) {
$type= \PDO::PARAM_INT;
}
else {
$type= \PDO::PARAM_STR;
}
if (in_array(strtoupper($operator), array('IN', 'NOT IN')) && is_array($val)) {
$vals = array();
foreach ($val as $v) {
switch ($type) {
case \PDO::PARAM_INT:
$vals[] = (int) $v;
break;
case \PDO::PARAM_STR:
$vals[] = $this->xpdo->quote($v);
break;
default:
$this->xpdo->log(xPDO::LOG_LEVEL_ERROR, "Error parsing {$operator} condition with key {$key}: " . print_r($v, true));
break;
elseif ($val === null) {
$type= \PDO::PARAM_NULL;
if (!in_array($operator, array('IS', 'IS NOT'))) {
$operator= $operator === '!=' ? 'IS NOT' : 'IS';
}
}
if (!empty($vals)) {
$val = "(" . implode(',', $vals) . ")";
$sql = "{$this->xpdo->escape($alias)}.{$this->xpdo->escape($key)} {$operator} {$val}";
$result[]= new xPDOQueryCondition(array('sql' => $sql, 'binding' => null, 'conjunction' => $conj));
continue;
elseif (isset($fieldMeta[$key]) && !in_array($fieldMeta[$key]['phptype'], $this->_quotable)) {
$type= \PDO::PARAM_INT;
}
else {
$type= \PDO::PARAM_STR;
}
if (in_array(strtoupper($operator), array('IN', 'NOT IN')) && is_array($val)) {
$vals = array();
foreach ($val as $v) {
switch ($type) {
case \PDO::PARAM_INT:
$vals[] = (int) $v;
break;
case \PDO::PARAM_STR:
$vals[] = $this->xpdo->quote($v);
break;
default:
$this->xpdo->log(xPDO::LOG_LEVEL_ERROR, "Error parsing {$operator} condition with key {$key}: " . print_r($v, true));
break;
}
}
if (!empty($vals)) {
$val = "(" . implode(',', $vals) . ")";
$sql = "{$this->xpdo->escape($alias)}.{$this->xpdo->escape($key)} {$operator} {$val}";
$result[]= new xPDOQueryCondition(array('sql' => $sql, 'binding' => null, 'conjunction' => $conj));
continue;
} else {
$this->xpdo->log(xPDO::LOG_LEVEL_ERROR, "Error parsing {$operator} condition with key {$key}: " . print_r($val, true));
continue;
}
}
$field= array ();
if ($type === \PDO::PARAM_NULL) {
$field['sql']= $this->xpdo->escape($alias) . '.' . $this->xpdo->escape($key) . ' ' . $operator . ' NULL';
$field['binding']= null;
$field['conjunction']= $conj;
} else {
$this->xpdo->log(xPDO::LOG_LEVEL_ERROR, "Error parsing {$operator} condition with key {$key}: " . print_r($val, true));
continue;
$field['sql']= $this->xpdo->escape($alias) . '.' . $this->xpdo->escape($key) . ' ' . $operator . ' ?';
$field['binding']= array (
'value' => $val,
'type' => $type,
'length' => 0
);
$field['conjunction']= $conj;
}
$result[]= new xPDOQueryCondition($field);
}
$field= array ();
if ($type === \PDO::PARAM_NULL) {
$field['sql']= $this->xpdo->escape($alias) . '.' . $this->xpdo->escape($key) . ' ' . $operator . ' NULL';
$field['binding']= null;
$field['conjunction']= $conj;
} else {
$field['sql']= $this->xpdo->escape($alias) . '.' . $this->xpdo->escape($key) . ' ' . $operator . ' ?';
$field['binding']= array (
'value' => $val,
'type' => $type,
'length' => 0
);
$field['conjunction']= $conj;
}
$result[]= new xPDOQueryCondition($field);
}
}
}
}
elseif ($conditions instanceof xPDOExpression) {
$result= new xPDOQueryCondition(array(
'sql' => $conditions->getExpression()
,'binding' => null
,'conjunction' => $conjunction
));
}
elseif ($this->isConditionalClause($conditions)) {
$result= new xPDOQueryCondition(array(
'sql' => $conditions
Expand Down Expand Up @@ -201,6 +220,10 @@ public function construct() {
$this->select('*');
}
foreach ($this->query['columns'] as $alias => $column) {
if ($column instanceof \xPDO\Om\xPDOExpression) {
$columns[]= $column->getExpression();
continue;
}
$ignorealias = is_int($alias);
$escape = !preg_match('/\bAS\b/i', $column) && !preg_match('/\./', $column) && !preg_match('/\(/', $column);
if ($escape) {
Expand Down Expand Up @@ -249,7 +272,9 @@ public function construct() {
foreach ($this->query['set'] as $setKey => $setVal) {
$value = $setVal['value'];
$type = $setVal['type'];
if ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
if ($value instanceof \xPDO\Om\xPDOExpression) {
$value = $value->getExpression();
} elseif ($value !== null && in_array($type, array(\PDO::PARAM_INT, \PDO::PARAM_STR))) {
$value = $this->xpdo->quote($value, $type);
} elseif ($value === null) {
$value = 'NULL';
Expand Down
52 changes: 52 additions & 0 deletions src/xPDO/Om/xPDOExpression.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<?php
/**
* This file is part of the xPDO package.
*
* Copyright (c) Jason Coward <jason@opengeek.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace xPDO\Om;

/**
* A value object wrapping a raw SQL expression for use in xPDOQuery.
*
* Pass an instance of this class wherever xPDOQuery accepts a column value
* or a SELECT column entry when you need a verbatim SQL fragment — for example,
* a function call (NOW(), CURRENT_TIMESTAMP), an arithmetic expression
* (counter + 1), or an aggregate with alias (COUNT(*) AS total). Valid contexts
* include SET, SELECT, WHERE, HAVING, GROUP BY, and ORDER BY clauses.
*
* xPDOExpression is intentionally restricted to the query layer. Do NOT pass
* it to xPDOObject::set() or xPDOObject::save(); PDO parameterised bindings
* will treat it as a string literal there.
*
* SECURITY CONTRACT: The expression string is embedded verbatim into the
* generated SQL without any quoting, escaping, or parameterisation. The caller
* is solely responsible for ensuring the expression is safe. User-supplied
* input must NEVER be passed directly to this class or to the xPDO::expression()
* factory. Violating this contract will result in SQL injection vulnerabilities.
*
* @package xPDO\Om
*/
final class xPDOExpression
{
private string $expression;

/**
* @param string $expression A trusted, developer-controlled SQL fragment.
* MUST NOT contain unsanitised user input.
* @psalm-taint-sink sql $expression
*/
public function __construct(string $expression)
{
$this->expression = $expression;
}

public function getExpression(): string
{
return $this->expression;
}
}
Loading
Loading