Commit d99b12fb authored by catch's avatar catch
Browse files

Issue #3190285 by mondrake, anmolgoyal74, daffie: Entity QueryAggregate does not escape the field

parent 1e1d9a9f
......@@ -38,7 +38,8 @@ public function compile($conditionContainer) {
$condition_class::translateCondition($condition, $sql_query, $tables->isFieldCaseSensitive($condition['field']));
$function = $condition['function'];
$placeholder = ':db_placeholder_' . $conditionContainer->nextPlaceholder();
$conditionContainer->having("$function($field) {$condition['operator']} $placeholder", [$placeholder => $condition['value']]);
$sql_field_escaped = '[' . str_replace('.', '].[', $field) . ']';
$conditionContainer->having("$function($sql_field_escaped) {$condition['operator']} $placeholder", [$placeholder => $condition['value']]);
}
}
}
......
......@@ -75,7 +75,8 @@ protected function addAggregate() {
if ($this->aggregate) {
foreach ($this->aggregate as $aggregate) {
$sql_field = $this->getSqlField($aggregate['field'], $aggregate['langcode']);
$this->sqlExpressions[$aggregate['alias']] = $aggregate['function'] . "($sql_field)";
$sql_field_escaped = '[' . str_replace('.', '].[', $sql_field) . ']';
$this->sqlExpressions[$aggregate['alias']] = $aggregate['function'] . "($sql_field_escaped)";
}
}
return $this;
......
......@@ -131,10 +131,14 @@ public function testAggregation() {
// Apply a simple aggregation for different aggregation functions.
foreach ($function_expected as $aggregation_function => $expected) {
$this->queryResult = $this->entityStorage->getAggregateQuery()
->aggregate('id', $aggregation_function)
->execute();
$this->assertEqual($this->queryResult, $expected);
$query = $this->entityStorage->getAggregateQuery()
->aggregate('id', $aggregation_function);
$this->queryResult = $query->execute();
// We need to check that a character exists before and after the table,
// column and alias identifiers. These would be the quote characters
// specific for each database system.
$this->assertRegExp('/' . $aggregation_function . '\(.entity_test.\..id.\) AS .id_' . $aggregation_function . './', (string) $query, 'The argument to the aggregation function should be a quoted field.');
$this->assertEquals($expected, $this->queryResult);
}
// Apply aggregation and groupby on the same query.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment