Orm: Doctrine is not Auto-Escaping Columns
We have an entity with the column 'limit', but this is a reserved keyword in MySQL. Logically, Doctrine ORM should be Auto-Escaping these Columns, but it's stuck in this ideology that we must escape them in the Column name.
An exception occurred while executing 'INSERT INTO content_stream (pagingType, limit, enableSearch, siteId, vendorId, time, timeEdit, timeStatus, status, userId, editUserId, viewVersionId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' with params ["pager", null, 0, 13, null, 1465943902, 1465943902, null, 1, 4, 4, 38064]:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit, enableSearch, siteId, vendorId, time, timeEdit, timeStatus, status, userI' at line 1
According to Issue #2409, we tried the following workaround.
@Column(name="`limit`")
This does work for our current situation, but this is a very fragile train of logic and Doctrine ORM should be providing this level of safety, regardless of whether it is a reserved keyword or not.
alexgurrola
All 8 comments
See #2409.
phansys
on 15 Jun 2016
This is a well known limitation documented at http://doctrine-orm.readthedocs.io/projects/doctrine-orm/en/latest/reference/limitations-and-known-issues.html#identifier-quoting-and-legacy-databases
We will change this for Doctrine 3.x, but for 2.x, auto-quoting of identifiers is a no-go, mostly because of case sensitivity issues.
Please note that this doesn't cause security issues per se, as mappings are not user input, but static application information.
Ocramius
on 15 Jun 2016
@Ocramius Understood. Since this is the case, is there a way to check out Doctrine 3.x? All of my searching has turned up null.
alexgurrola
on 20 Jun 2016
Check the develop branch
Ocramius
on 20 Jun 2016
@richRemer you know that we still get email notifications, even if you delete messages, right?
Ocramius
on 19 Oct 2017
I assumed so. I deleted it because I realized I misunderstood your Doctrine
Beta 3 release notes from 2010 to be Doctrine 3 Beta. Leaving it up there
served no purpose.
The new release could really use some SEO. I could not find any roadmap for
release, so the promise for a fix in v3 is not useful.
On Oct 19, 2017 8:31 AM, "Marco Pivetta" notifications@github.com wrote:
@richRemer https://github.com/richremer you know that we still get
email notifications, even if you delete messages, right?—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/doctrine/doctrine2/issues/5874#issuecomment-337945499,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABrlGbIKFLzjzDUza50sp_7fQDkOUCEGks5st2tMgaJpZM4I12PU
.
richRemer
on 19 Oct 2017
This is a well known limitation documented at http://doctrine-orm.readthedocs.io/projects/doctrine-orm/en/latest/reference/limitations-and-known-issues.html#identifier-quoting-and-legacy-databases
Hi, is there any way to escape reserved words in XML metatdata? Putting `reserved` works but breaks the XSD validation.
Thanks,
Adriano
acataluddi
on 29 May 2018
The documentation page mention seems to have been moved here.
ToonSpinISAAC
on 3 Sep 2019
Related issues
doctrinebot
·
4Comments
dmaicher
·
3Comments
alexander-schranz
·
3Comments
podorozhny
·
4Comments
doctrinebot
·
3Comments
Most helpful comment
Hi, is there any way to escape reserved words in XML metatdata? Putting
`reserved`works but breaks the XSD validation.Thanks,
Adriano