/** * Implements PHP magic __toString method to convert the query to a string. * * @return string * The prepared statement. */ public function __toString() { // Create a sanitized comment string to prepend to the query. $comments = $this->connection->makeComment($this->comments); // Expressions take priority over literal fields, so we process those first // and remove any literal fields that conflict. $fields = $this->fields; $update_fields = array(); foreach ($this->expressionFields as $field => $data) { if ($data['expression'] instanceof SelectInterface) { // Compile and cast expression subquery to a string. $data['expression']->compile($this->connection, $this); $data['expression'] = ' (' . $data['expression'] . ')'; } $update_fields[] = $this->connection->escapeField($field) . '=' . $data['expression']; unset($fields[$field]); } $max_placeholder = 0; foreach ($fields as $field => $value) { $update_fields[] = $this->connection->escapeField($field) . '=:db_update_placeholder_' . $max_placeholder++; } $query = $comments . 'UPDATE {' . $this->connection->escapeTable($this->table) . '} SET ' . implode(', ', $update_fields); if (count($this->condition)) { $this->condition->compile($this->connection, $this); // There is an implicit string cast on $this->condition. $query .= "\nWHERE " . $this->condition; } return $query; }
/** * Implements PHP magic __toString method to convert the query to a string. * * @return string * The prepared statement. */ public function __toString() { // Create a sanitized comment string to prepend to the query. $comments = $this->connection->makeComment($this->comments); $query = $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} '; if (count($this->condition)) { $this->condition->compile($this->connection, $this); $query .= "\nWHERE " . $this->condition; } return $query; }
/** * Implements Drupal\Core\Database\Query\ConditionInterface::compile(). */ public function compile(Connection $connection, PlaceholderInterface $queryPlaceholder) { $this->condition->compile($connection, $queryPlaceholder); }
/** * Compiles the HAVING clause for later retrieval. * * @param $connection * The database connection for which to compile the clause. */ public function havingCompile(Connection $connection) { $this->having->compile($connection, $this); }
/** * @covers ::compile * * @expectedException \PHPUnit_Framework_Error * @dataProvider providerTestCompileWithSqlInjectionForOperator */ public function testCompileWithSqlInjectionForOperator($operator) { $connection = $this->prophesize(Connection::class); $connection->escapeField(Argument::any())->will(function ($args) { return preg_replace('/[^A-Za-z0-9_.]+/', '', $args[0]); }); $connection->mapConditionOperator(Argument::any())->willReturn(NULL); $connection = $connection->reveal(); $query_placeholder = $this->prophesize(PlaceholderInterface::class); $counter = 0; $query_placeholder->nextPlaceholder()->will(function () use(&$counter) { return $counter++; }); $query_placeholder->uniqueIdentifier()->willReturn(4); $query_placeholder = $query_placeholder->reveal(); $condition = new Condition('AND'); $condition->condition('name', 'value', $operator); $condition->compile($connection, $query_placeholder); }