Skip to content

Update PicoDatabaseQueryBuilder.php #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kamshory merged 1 commit into from
Jan 21, 2026
Merged

Update PicoDatabaseQueryBuilder.php #185

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 30 additions & 12 deletions src/Database/PicoDatabaseQueryBuilder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -691,23 +691,41 @@ public function rollback()
}

/**
* Escapes a raw SQL query string to be safely used in an SQL statement,
* including handling of single quotes, backslashes, and line breaks,
* based on the active database type.
* Escapes a raw SQL string value so it can be safely embedded inside
* an SQL statement according to the active database dialect.
*
* This function does **not** quote the entire string with `'` — it is intended
* for use in building safe query fragments or inline strings.
* This method performs **SQL literal escaping only** and does NOT:
* - Add surrounding quotes (`'...'`)
* - Escape or transform newline characters (`\n`, `\r`)
* - Replace or normalize whitespace
*
* Newline characters are preserved as-is and stored correctly
* in the database. This avoids issues where line breaks would be
* converted into literal `\n` sequences.
*
* Behavior per database:
* - MySQL/MariaDB: Escapes `'` as `\'` and `\` as `\\`
* - PostgreSQL : Escapes `'` as `''` and `\` as `\\` (assumes use with E'' literals)
* - SQLite : Escapes `'` as `''`; backslash is literal
* - SQL Server : Escapes `'` as `''`; backslash is literal
* - MySQL / MariaDB:
* - Escapes single quote `'` as `\'`
* - Escapes backslash `\` as `\\`
*
* - PostgreSQL:
* - Escapes single quote `'` as `''`
* - Escapes backslash `\` as `\\`
* - Intended for standard string literals (NOT E'' unless handled externally)
*
* - SQLite:
* - Escapes single quote `'` as `''`
* - Backslash is treated as a literal character
*
* - SQL Server:
* - Escapes single quote `'` as `''`
* - Backslash is treated as a literal character
*
* All RDBMS: Converts `\r` and `\n` into `\\r` and `\\n`
* @param string $query
* Raw SQL string value to escape.
*
* @param string $query The raw SQL string to be escaped.
* @return string The escaped SQL string, safe for inclusion in SQL statements.
* @return string
* Escaped SQL string safe for inclusion inside a quoted SQL literal.
*/
public function escapeSQL($query) // NOSONAR
{
Expand Down