Allows :dql_parameters with ARRAY_* functions

allan-simon · allan-simon · commit 12d7f5ccc293 · 2024-10-17T08:39:09.000Z
before it was only possible to do `ARRAY_APPEND(e.myarray, 'a_literal')`
so it was impossible to have the value coming from php (without resorting
to DQL injection)

We now allow also the following syntax `ARRAY_APPEND(e.myarray, :foobar)`
diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php
@@ -18,6 +18,6 @@ protected function customiseFunction(): void
     {
         $this->setFunctionPrototype('array_append(%s, %s)');
         $this->addNodeMapping('StringPrimary');
-        $this->addNodeMapping('Literal');
+        $this->addNodeMapping('ArithmeticPrimary');
     }
 }
diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php
@@ -18,6 +18,6 @@ protected function customiseFunction(): void
     {
         $this->setFunctionPrototype('array_length(%s, %s)');
         $this->addNodeMapping('StringPrimary');
-        $this->addNodeMapping('Literal');
+        $this->addNodeMapping('ArithmeticPrimary');
     }
 }
diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php
@@ -17,7 +17,7 @@ class ArrayPrepend extends BaseFunction
     protected function customiseFunction(): void
     {
         $this->setFunctionPrototype('array_prepend(%s, %s)');
-        $this->addNodeMapping('Literal');
+        $this->addNodeMapping('ArithmeticPrimary');
         $this->addNodeMapping('StringPrimary');
     }
 }
diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php
@@ -18,6 +18,6 @@ protected function customiseFunction(): void
     {
         $this->setFunctionPrototype('array_remove(%s, %s)');
         $this->addNodeMapping('StringPrimary');
-        $this->addNodeMapping('Literal');
+        $this->addNodeMapping('ArithmeticPrimary');
     }
 }
diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php
@@ -18,7 +18,7 @@ protected function customiseFunction(): void
     {
         $this->setFunctionPrototype('array_replace(%s, %s, %s)');
         $this->addNodeMapping('StringPrimary');
-        $this->addNodeMapping('Literal');
-        $this->addNodeMapping('Literal');
+        $this->addNodeMapping('ArithmeticPrimary');
+        $this->addNodeMapping('ArithmeticPrimary');
     }
 }
diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php
@@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array
         return [
             'SELECT array_append(c0_.array1, 1989) AS sclr_0 FROM ContainsArrays c0_',
             "SELECT array_append(c0_.array1, 'country') AS sclr_0 FROM ContainsArrays c0_",
+            "SELECT array_append(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_",
         ];
     }
 
@@ -29,6 +30,7 @@ protected function getDqlStatements(): array
         return [
             \sprintf('SELECT ARRAY_APPEND(e.array1, 1989) FROM %s e', ContainsArrays::class),
             \sprintf("SELECT ARRAY_APPEND(e.array1, 'country') FROM %s e", ContainsArrays::class),
+            \sprintf("SELECT ARRAY_APPEND(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class),
         ];
     }
 }
diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php
@@ -20,13 +20,15 @@ protected function getExpectedSqlStatements(): array
     {
         return [
             'SELECT array_length(c0_.array1, 1) AS sclr_0 FROM ContainsArrays c0_',
+            'SELECT array_length(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_',
         ];
     }
 
     protected function getDqlStatements(): array
     {
         return [
             \sprintf('SELECT ARRAY_LENGTH(e.array1, 1) FROM %s e', ContainsArrays::class),
+            \sprintf('SELECT ARRAY_LENGTH(e.array1, :dql_parameter) FROM %s e', ContainsArrays::class),
         ];
     }
 }
diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php
@@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array
         return [
             'SELECT array_prepend(1885, c0_.array1) AS sclr_0 FROM ContainsArrays c0_',
             "SELECT array_prepend('red', c0_.array1) AS sclr_0 FROM ContainsArrays c0_",
+            "SELECT array_prepend(?, c0_.array1) AS sclr_0 FROM ContainsArrays c0_",
         ];
     }
 
@@ -29,6 +30,7 @@ protected function getDqlStatements(): array
         return [
             \sprintf('SELECT ARRAY_PREPEND(1885, e.array1) FROM %s e', ContainsArrays::class),
             \sprintf("SELECT ARRAY_PREPEND('red', e.array1) FROM %s e", ContainsArrays::class),
+            \sprintf("SELECT ARRAY_PREPEND(:dql_parameter, e.array1) FROM %s e", ContainsArrays::class),
         ];
     }
 }
diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php
@@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array
         return [
             'SELECT array_remove(c0_.array1, 1944) AS sclr_0 FROM ContainsArrays c0_',
             "SELECT array_remove(c0_.array1, 'peach') AS sclr_0 FROM ContainsArrays c0_",
+            "SELECT array_remove(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_",
         ];
     }
 
@@ -29,6 +30,7 @@ protected function getDqlStatements(): array
         return [
             \sprintf('SELECT ARRAY_REMOVE(e.array1, 1944) FROM %s e', ContainsArrays::class),
             \sprintf("SELECT ARRAY_REMOVE(e.array1, 'peach') FROM %s e", ContainsArrays::class),
+            \sprintf("SELECT ARRAY_REMOVE(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class),
         ];
     }
 }
diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php
@@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array
         return [
             'SELECT array_replace(c0_.array1, 1939, 1957) AS sclr_0 FROM ContainsArrays c0_',
             "SELECT array_replace(c0_.array1, 'green', 'mint') AS sclr_0 FROM ContainsArrays c0_",
+            "SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_",
         ];
     }
 
@@ -29,6 +30,7 @@ protected function getDqlStatements(): array
         return [
             \sprintf('SELECT ARRAY_REPLACE(e.array1, 1939, 1957) FROM %s e', ContainsArrays::class),
             \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', 'mint') FROM %s e", ContainsArrays::class),
+            \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e", ContainsArrays::class),
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,6 @@ protected function customiseFunction(): void`
`18`	`18`	`{`
`19`	`19`	`$this->setFunctionPrototype('array_append(%s, %s)');`
`20`	`20`	`$this->addNodeMapping('StringPrimary');`
`21`		`- $this->addNodeMapping('Literal');`
	`21`	`+ $this->addNodeMapping('ArithmeticPrimary');`
`22`	`22`	`}`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ class ArrayPrepend extends BaseFunction`
`17`	`17`	`protected function customiseFunction(): void`
`18`	`18`	`{`
`19`	`19`	`$this->setFunctionPrototype('array_prepend(%s, %s)');`
`20`		`- $this->addNodeMapping('Literal');`
	`20`	`+ $this->addNodeMapping('ArithmeticPrimary');`
`21`	`21`	`$this->addNodeMapping('StringPrimary');`
`22`	`22`	`}`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ protected function customiseFunction(): void`
`18`	`18`	`{`
`19`	`19`	`$this->setFunctionPrototype('array_replace(%s, %s, %s)');`
`20`	`20`	`$this->addNodeMapping('StringPrimary');`
`21`		`- $this->addNodeMapping('Literal');`
`22`		`- $this->addNodeMapping('Literal');`
	`21`	`+ $this->addNodeMapping('ArithmeticPrimary');`
	`22`	`+ $this->addNodeMapping('ArithmeticPrimary');`
`23`	`23`	`}`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array`
`21`	`21`	`return [`
`22`	`22`	`'SELECT array_append(c0_.array1, 1989) AS sclr_0 FROM ContainsArrays c0_',`
`23`	`23`	`"SELECT array_append(c0_.array1, 'country') AS sclr_0 FROM ContainsArrays c0_",`
	`24`	`+ "SELECT array_append(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_",`
`24`	`25`	`];`
`25`	`26`	`}`
`26`	`27`
`@@ -29,6 +30,7 @@ protected function getDqlStatements(): array`
`29`	`30`	`return [`
`30`	`31`	`\sprintf('SELECT ARRAY_APPEND(e.array1, 1989) FROM %s e', ContainsArrays::class),`
`31`	`32`	`\sprintf("SELECT ARRAY_APPEND(e.array1, 'country') FROM %s e", ContainsArrays::class),`
	`33`	`+ \sprintf("SELECT ARRAY_APPEND(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class),`
`32`	`34`	`];`
`33`	`35`	`}`
`34`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,13 +20,15 @@ protected function getExpectedSqlStatements(): array`
`20`	`20`	`{`
`21`	`21`	`return [`
`22`	`22`	`'SELECT array_length(c0_.array1, 1) AS sclr_0 FROM ContainsArrays c0_',`
	`23`	`+ 'SELECT array_length(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_',`
`23`	`24`	`];`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`protected function getDqlStatements(): array`
`27`	`28`	`{`
`28`	`29`	`return [`
`29`	`30`	`\sprintf('SELECT ARRAY_LENGTH(e.array1, 1) FROM %s e', ContainsArrays::class),`
	`31`	`+ \sprintf('SELECT ARRAY_LENGTH(e.array1, :dql_parameter) FROM %s e', ContainsArrays::class),`
`30`	`32`	`];`
`31`	`33`	`}`
`32`	`34`	`}`