Doctrine 2 - ORM

Table names are not escaped

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Invalid
  • Affects Version/s: None
  • Fix Version/s: 2.0-BETA1
  • Component/s: ORM
  • Security Level: All
  • Labels:
    None

Description

Table names (and maybe also attribute names?) are not escaped when SQL is generated.
This means, if you create something like this

/**
 * @Entity
 * @Table(name="groups")
 */
class Group
...

the generated SQL code will be "CREATE TABLE group (id INT...", which fails because "group" is a reserved keyword. It should be escaped with backticks: "CREATE TABLE `group` (id INT..."

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Christian Heinrich added a comment -

You need to quote the tablename by yourself:

http://www.doctrine-project.org/documentation/manual/2_0/en/basic-mapping:quoting-reserved-words

Show
Christian Heinrich added a comment - You need to quote the tablename by yourself: http://www.doctrine-project.org/documentation/manual/2_0/en/basic-mapping:quoting-reserved-words
Hide
Permalink
Roman S. Borschel added a comment -

Like Christian said, you can mark individial table or column names for quoting in the ORM.

In the DBAL, nothing is quoted automatically to avoid all kinds of issues. When using the DBAL directly you can quote yourself (quoteIdentifier()).

So this is by design. For your concrete problem you can use @Table(name="`group`") but the much better option is to avoid reserved words completely.

Show
Roman S. Borschel added a comment - Like Christian said, you can mark individial table or column names for quoting in the ORM. In the DBAL, nothing is quoted automatically to avoid all kinds of issues. When using the DBAL directly you can quote yourself (quoteIdentifier()). So this is by design. For your concrete problem you can use @Table(name="`group`") but the much better option is to avoid reserved words completely.
Hide
Permalink
Nico Kaiser added a comment -

Oh, ok. So is there a technical reason for this? Why not quote all table / attribute names automatically in Doctrine?

Show
Nico Kaiser added a comment - Oh, ok. So is there a technical reason for this? Why not quote all table / attribute names automatically in Doctrine?
Hide
Permalink
Roman S. Borschel added a comment -

Because that would be overkill and unnecessarily clutters the SQL. More than that, identifier quoting can fail on certain platforms under certain conditions with certain input ... Lastly, it would add quite some code bloat to quote everything because not all SQL goes down 1 execution path.

All these things together with the fact that identifier quoting is considered a workaround led to the current implementation. We discourage identifier quoting, but still make it possible selectively.

We've had the "quote nothing or everything" approach in D1 with a simple switch and it was/is full of problems. Apart from the simple fact that you need to quote everything as soon as you have a single, reserved column or table name anywhere. Thats just overkill.

Show
Roman S. Borschel added a comment - Because that would be overkill and unnecessarily clutters the SQL. More than that, identifier quoting can fail on certain platforms under certain conditions with certain input ... Lastly, it would add quite some code bloat to quote everything because not all SQL goes down 1 execution path. All these things together with the fact that identifier quoting is considered a workaround led to the current implementation. We discourage identifier quoting, but still make it possible selectively. We've had the "quote nothing or everything" approach in D1 with a simple switch and it was/is full of problems. Apart from the simple fact that you need to quote everything as soon as you have a single, reserved column or table name anywhere. Thats just overkill.

People

  • Assignee:
    Roman S. Borschel
    Reporter:
    Nico Kaiser
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: