Fix identifier escaping when used as string literal for T-SQL #4360
Conversation
05ac646
to
b183d9e
Compare
b183d9e
to
4240ec6
Compare
c0bae78
to
d91a1bb
Compare
|
TL;DR of the issue, the blog post and your diff please? |
|
@greg0ire https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-dropextendedproperty-transact-sql?view=sql-server-ver15 shows the everything is covered by static tests - you want one functional test for |
ed4a9f3
to
5397cb1
Compare
a7237b4
to
3e12f95
Compare
|
@metaturso can you please submit your review on this PR? |
| [$schemaSQL, $tableSQL] = explode('.', $tableName); | ||
| $schemaSQL = $this->quoteStringLiteral($schemaSQL); | ||
| $tableSQL = $this->quoteStringLiteral($tableSQL); | ||
| [$schemaName, $tableName] = explode('.', $tableName, 2); |
There was a problem hiding this comment.
2 assumes that the schema name cannot contain dots but the table can. Why?
80c6921
to
a7f7800
Compare
|
@morozov the feedback has been addressed, it there anything left? |
a7f7800
to
e481418
Compare
There was a problem hiding this comment.
In my opinion, this whole magic about smashing the schema name and the table together and then exploding/parsing with regular expressions is absolutely unreliable.
What if the schema name is "example.com" and the table name is "inventory"?
A proper API must operate with object (schema, table) names and quote, and concatenate them while building SQL. The API works that worse the other way around may pass the tests that cover the happy but won't work in real cases.
|
@morozov Please tell me where introduced newly, this PR fixes a bug related with wrong column names escaping for |
|
I see that this PR relies on the reworked implementation using
It's challenging to review such changes since it takes extra effort to get to their essence. Apart from that, I find the way you behave in the community hard to deal with:
With that said, I'm not personally interested in reviewing this. You can continue working with other DBAL maintainers on getting your changes approved. |
|
@morozov I have added functional tests covering reserved keywords in column names for all database platforms (first commit). I belive I fixed the issue cleanly and in a minimalistic way. If you think the issue can be fixed better (and still fully passing added tests), please advise. To my crediatability. I understand you may "rate me" by several closed PRs into this repo, but I am proud to say this is pure coincidence. I am strong contributor to another backend repos and database abstraction libs like |
|
The DBAL currently has very limited support for quoting identifiers (#4357). Most importantly, there's no distinction at the API level between object names (e.g. I don't see much point in complicating the implementation of the API that was not supposed to be used for this purpose in the first place. |
|
@morozov Your reaction seems brutal to me. With a lot of efford (several iterations of feedback, 10+ hours spent) I was able to fix the issue with very good functional testing FOR EVERY PLATFORM.
What is wrong with fixed ~80 lines (+ added tests, + normalized quotes in existing tests)? Here is example of the current issue: https://github.com/atk4/data/runs/2261267667#step:12:24 |
|
These kind of changes to quoting fundamentals are very high risk for Doctrine. In conjunction with our limited understanding of SQLServer platform, this PR is something we all hesitate to merge, defensive maintenance is critical for a database library. Sorry for getting to the conclusion so late, i certainly have been there myself after having to revert a patch on sqlite foreign keys that took weeks to finish last year for example. As a point in feedback, this kind of deep change to a driver needs careful research and your PR description leaves a lot open wirh respect to quoting original documentation, resources explaining the issue with examples and your own evaluation of them w.r.t Doctrine. We have asked for this several times and we habe also invested hours reviewing this change but still far away from 100% understanding. |
|
I am still convinced this is a bug and it should be fixed. Guys, @greg0ire , @morozov, @beberlei , let me discuss the possible impacts: Pros:
To consider:
Cons:
Can we agree on these points and is there anything else to discuss/address? |
Summary
Alternative to closes #4284 to fix it correctly and with proper functional tests.
The issue was that MSSQL expects string literal (quoted by
') forEXEC sp_addextendedpropertyinstead of identifier name (quoted by[]).