Bug #87032
closed
The Function createNamedParameter('string') does not work proper with getQueryBuilderForTable->set() Statement
0%
Description
I have created an Ajax function to store the slug of a record in the pages table. This all happens in a Backend-Module.
Everything works as long as I leave the value for the function "set ('slug', ...)" as a string, for example "set ('slug', 'test')".
As soon as I add the function "createNamedParameter", only the default value ":dcValue2" is output. It does not matter if the parameter "\ PDO :: PARAM_STR" is added or not. If I add a placeholder as a third parameter, the placeholder is output.
However, in the where statement, the function works fine.
The following function saves ":dcValue2" into the database.
/**
* action save
*
* @return void
*/
public function saveAction(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response)
{
$queryParams = $request->getQueryParams();
$queryBuilder = GeneralUtility::makeInstance(\TYPO3\CMS\Core\Database\ConnectionPool::class)->getQueryBuilderForTable('pages');
$statement = $queryBuilder
->update('pages')
->where(
$queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($queryParams['uid'],\PDO::PARAM_INT))
)
->set('slug',$queryBuilder->createNamedParameter('test'))
->execute();
$output = 'Slug: '.$queryParams['slug'];
$response->getBody()->write($output);
return $response->withHeader('Content-Type', 'text/html; charset=utf-8');
}
Updated by Simon Köhler almost 6 years ago
Sorry, I just read this in the docs:
"The second mandatory argument is the value a field should be set to, the value is automatically transformed to a named parameter of a prepared statement. This way, ->set() key/value pairs are automatically SQL injection safe by default."
That makes it pretty clear then...
Updated by