/**
* Implements PHP magic __toString method to convert the query to a string.
*
* @return string
* The prepared statement.
*/
public function __toString()
{
// Create a sanitized comment string to prepend to the query.
$comments = $this->connection->makeComment($this->comments);
// Expressions take priority over literal fields, so we process those first
// and remove any literal fields that conflict.
$fields = $this->fields;
$update_fields = array();
foreach ($this->expressionFields as $field => $data) {
if ($data['expression'] instanceof SelectInterface) {
// Compile and cast expression subquery to a string.
$data['expression']->compile($this->connection, $this);
$data['expression'] = ' (' . $data['expression'] . ')';
}
$update_fields[] = $this->connection->escapeField($field) . '=' . $data['expression'];
unset($fields[$field]);
}
$max_placeholder = 0;
foreach ($fields as $field => $value) {
$update_fields[] = $this->connection->escapeField($field) . '=:db_update_placeholder_' . $max_placeholder++;
}
$query = $comments . 'UPDATE {' . $this->connection->escapeTable($this->table) . '} SET ' . implode(', ', $update_fields);
if (count($this->condition)) {
$this->condition->compile($this->connection, $this);
// There is an implicit string cast on $this->condition.
$query .= "\nWHERE " . $this->condition;
}
return $query;
}
/**
* Implements PHP magic __toString method to convert the query to a string.
*
* @return string
* The prepared statement.
*/
public function __toString()
{
// Create a sanitized comment string to prepend to the query.
$comments = $this->connection->makeComment($this->comments);
$query = $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} ';
if (count($this->condition)) {
$this->condition->compile($this->connection, $this);
$query .= "\nWHERE " . $this->condition;
}
return $query;
}
/**
* Implements Drupal\Core\Database\Query\ConditionInterface::compile().
*/
public function compile(Connection $connection, PlaceholderInterface $queryPlaceholder)
{
$this->condition->compile($connection, $queryPlaceholder);
}
/**
* Compiles the HAVING clause for later retrieval.
*
* @param $connection
* The database connection for which to compile the clause.
*/
public function havingCompile(Connection $connection)
{
$this->having->compile($connection, $this);
}
/**
* @covers ::compile
*
* @expectedException \PHPUnit_Framework_Error
* @dataProvider providerTestCompileWithSqlInjectionForOperator
*/
public function testCompileWithSqlInjectionForOperator($operator)
{
$connection = $this->prophesize(Connection::class);
$connection->escapeField(Argument::any())->will(function ($args) {
return preg_replace('/[^A-Za-z0-9_.]+/', '', $args[0]);
});
$connection->mapConditionOperator(Argument::any())->willReturn(NULL);
$connection = $connection->reveal();
$query_placeholder = $this->prophesize(PlaceholderInterface::class);
$counter = 0;
$query_placeholder->nextPlaceholder()->will(function () use(&$counter) {
return $counter++;
});
$query_placeholder->uniqueIdentifier()->willReturn(4);
$query_placeholder = $query_placeholder->reveal();
$condition = new Condition('AND');
$condition->condition('name', 'value', $operator);
$condition->compile($connection, $query_placeholder);
}