Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[10.x] Fixes whereDate, whereDay, whereMonth, whereTime, whereYear and whereJsonLength to ignore invalid $operator #52704

Merged
merged 8 commits into from
Sep 9, 2024
Merged

[10.x] Fixes whereDate, whereDay, whereMonth, whereTime, whereYear and whereJsonLength to ignore invalid $operator #52704

merged 8 commits into from
Sep 9, 2024

Conversation

crynobone
Copy link
Member

No description provided.

@crynobone crynobone force-pushed the where-invalid-operator branch from 5a92005 to f303beb Compare September 9, 2024 08:45
@crynobone
Fixes whereDate, whereDay, whereMonth, whereTime, whereYear
4ff4011 
… and `whereJsonLength` to ignore invalid `$operator`

Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone force-pushed the where-invalid-operator branch from ea2559e to 4ff4011 Compare September 9, 2024 09:11
@crynobone
wip
91957aa 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
d885a18 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
29ad954 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
a533e81 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
c02180e 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
859df7c 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
05c495a 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone changed the title Fixes whereDate, whereDay, whereMonth, whereTime, whereYear and whereJsonLength to ignore invalid $operator [10.x] Fixes whereDate, whereDay, whereMonth, whereTime, whereYear and whereJsonLength to ignore invalid $operator Sep 9, 2024
GrahamCampbell
GrahamCampbell reviewed Sep 9, 2024
View reviewed changes
src/Illuminate/Database/DBAL/TimestampType.php
@@ -33,13 +36,16 @@ public function getSQLDeclaration(array $column, AbstractPlatform $platform): st
MySQLPlatform::class,
MySQL57Platform::class,
MySQL80Platform::class,
MySQL84Platform::class,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we move these changes to a separate PR?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

10.x is currently on security only updates.

@rodrigopedra
Copy link
Contributor

Mind if I ask why? Or what is this trying to solve?

Isn't it better to throw an InvalidArgumentException?

I mean, if a particular DBMS supports an operator not listed as valid within the class, I guess the developer would be surprised by this behavior.

@GrahamCampbell
Copy link
Member

Mind if I ask why? Or what is this trying to solve?

I assume the issue is SQL injection, where the operator comes from user input? We have a similar fallback system for when an invalid sort direction is passed to order by, for example.

@Jubeki Jubeki mentioned this pull request Sep 9, 2024
Closed
@taylorotwell taylorotwell merged commit 80cdd87 into 10.x Sep 9, 2024
23 of 25 checks passed
@taylorotwell taylorotwell deleted the where-invalid-operator branch September 9, 2024 13:54
@renovate renovate bot mentioned this pull request Oct 10, 2024
Merged
1 task
This was referenced Nov 19, 2024
Open
Open
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@GrahamCampbell GrahamCampbell GrahamCampbell left review comments

Assignees

@taylorotwell taylorotwell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@crynobone @rodrigopedra @GrahamCampbell @taylorotwell