Project

General

Profile

Actions

Bug #87032

closed

The Function createNamedParameter('string') does not work proper with getQueryBuilderForTable->set() Statement

Added by Simon Köhler almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Database API (Doctrine DBAL)
Target version:
-
Start date:
2018-11-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
createNamedParameter,getQueryBuilderForTable
Complexity:
Is Regression:
Sprint Focus:

Description

I have created an Ajax function to store the slug of a record in the pages table. This all happens in a Backend-Module.

Everything works as long as I leave the value for the function "set ('slug', ...)" as a string, for example "set ('slug', 'test')".

As soon as I add the function "createNamedParameter", only the default value ":dcValue2" is output. It does not matter if the parameter "\ PDO :: PARAM_STR" is added or not. If I add a placeholder as a third parameter, the placeholder is output.

However, in the where statement, the function works fine.

The following function saves ":dcValue2" into the database.

/**
     * action save
     *
     * @return void
     */
    public function saveAction(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response)
    {
        $queryParams = $request->getQueryParams();
        $queryBuilder = GeneralUtility::makeInstance(\TYPO3\CMS\Core\Database\ConnectionPool::class)->getQueryBuilderForTable('pages');
        $statement = $queryBuilder
            ->update('pages')
            ->where(
                $queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($queryParams['uid'],\PDO::PARAM_INT))
            )
            ->set('slug',$queryBuilder->createNamedParameter('test'))
            ->execute();

        $output = 'Slug: '.$queryParams['slug'];
        $response->getBody()->write($output);
        return $response->withHeader('Content-Type', 'text/html; charset=utf-8');
    }
Actions #1

Updated by Simon Köhler almost 6 years ago

Sorry, I just read this in the docs:

"The second mandatory argument is the value a field should be set to, the value is automatically transformed to a named parameter of a prepared statement. This way, ->set() key/value pairs are automatically SQL injection safe by default."

That makes it pretty clear then...

Actions #2

Updated by Georg Ringer almost 6 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF