Skip to content
Snippets Groups Projects
Commit d99b12fb authored by catch's avatar catch
Browse files

Issue #3190285 by mondrake, anmolgoyal74, daffie: Entity QueryAggregate does not escape the field

parent 1e1d9a9f
No related branches found
No related tags found
6 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!1012Issue #3226887: Hreflang on non-canonical content pages,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10,!596Issue #3046532: deleting an entity reference field, used in a contextual view, makes the whole site unrecoverable,!496Issue #2463967: Use .user.ini file for PHP settings,!16Draft: Resolve #2081585 "History storage"
...@@ -38,7 +38,8 @@ public function compile($conditionContainer) { ...@@ -38,7 +38,8 @@ public function compile($conditionContainer) {
$condition_class::translateCondition($condition, $sql_query, $tables->isFieldCaseSensitive($condition['field'])); $condition_class::translateCondition($condition, $sql_query, $tables->isFieldCaseSensitive($condition['field']));
$function = $condition['function']; $function = $condition['function'];
$placeholder = ':db_placeholder_' . $conditionContainer->nextPlaceholder(); $placeholder = ':db_placeholder_' . $conditionContainer->nextPlaceholder();
$conditionContainer->having("$function($field) {$condition['operator']} $placeholder", [$placeholder => $condition['value']]); $sql_field_escaped = '[' . str_replace('.', '].[', $field) . ']';
$conditionContainer->having("$function($sql_field_escaped) {$condition['operator']} $placeholder", [$placeholder => $condition['value']]);
} }
} }
} }
......
...@@ -75,7 +75,8 @@ protected function addAggregate() { ...@@ -75,7 +75,8 @@ protected function addAggregate() {
if ($this->aggregate) { if ($this->aggregate) {
foreach ($this->aggregate as $aggregate) { foreach ($this->aggregate as $aggregate) {
$sql_field = $this->getSqlField($aggregate['field'], $aggregate['langcode']); $sql_field = $this->getSqlField($aggregate['field'], $aggregate['langcode']);
$this->sqlExpressions[$aggregate['alias']] = $aggregate['function'] . "($sql_field)"; $sql_field_escaped = '[' . str_replace('.', '].[', $sql_field) . ']';
$this->sqlExpressions[$aggregate['alias']] = $aggregate['function'] . "($sql_field_escaped)";
} }
} }
return $this; return $this;
......
...@@ -131,10 +131,14 @@ public function testAggregation() { ...@@ -131,10 +131,14 @@ public function testAggregation() {
// Apply a simple aggregation for different aggregation functions. // Apply a simple aggregation for different aggregation functions.
foreach ($function_expected as $aggregation_function => $expected) { foreach ($function_expected as $aggregation_function => $expected) {
$this->queryResult = $this->entityStorage->getAggregateQuery() $query = $this->entityStorage->getAggregateQuery()
->aggregate('id', $aggregation_function) ->aggregate('id', $aggregation_function);
->execute(); $this->queryResult = $query->execute();
$this->assertEqual($this->queryResult, $expected); // We need to check that a character exists before and after the table,
// column and alias identifiers. These would be the quote characters
// specific for each database system.
$this->assertRegExp('/' . $aggregation_function . '\(.entity_test.\..id.\) AS .id_' . $aggregation_function . './', (string) $query, 'The argument to the aggregation function should be a quoted field.');
$this->assertEquals($expected, $this->queryResult);
} }
// Apply aggregation and groupby on the same query. // Apply aggregation and groupby on the same query.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment