Skip to content

Improve SQL quoting and fix docblock issues #1003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markstory merged 1 commit into from
Jan 20, 2026
Merged

Improve SQL quoting and fix docblock issues #1003

markstory merged 1 commit into from
Jan 20, 2026
+33 −32

Conversation

@dereuromark
Copy link
Member

@dereuromark dereuromark commented Jan 19, 2026

Summary

  • Fix SQL Server sp_rename to use quoteString() for proper escaping in getRenameTableInstructions() and getRenameColumnInstructions()
  • Fix foreign key column quoting in PostgreSQL and SQL Server adapters to use quoteColumnName() instead of hard-coded double quotes
  • Fix MigrationHelper::tableStatement() to escape table names with addslashes()
  • Fix @params typos in BaseMigration docblocks (should be @param)
  • Fix copy-paste docblock errors in 7 test seed files that said "NumbersSeed seed" but were different classes

Test plan

  • Run PHPStan to verify no type errors
  • Run PHPCS to verify coding standards
  • Run existing test suite to verify no regressions

@dereuromark
Improve SQL quoting and fix docblock issues
698cbd9 
- Fix SQL Server sp_rename to use quoteString() for proper escaping
- Fix foreign key column quoting in PostgreSQL and SQL Server adapters
  to use quoteColumnName() instead of hard-coded quotes
- Fix MigrationHelper::tableStatement() to escape table names
- Fix @params typos in BaseMigration docblocks (should be @param)
- Fix copy-paste docblock errors in test seed files
@markstory markstory merged commit bf08df2 into 5.x Jan 20, 2026
14 checks passed
@markstory markstory deleted the fix/additional-quoting-issues branch January 20, 2026 03:31
dereuromark added a commit that referenced this pull request Jan 20, 2026
@dereuromark
Backport bug fixes from 5.x branch
655c70c 
This backports several important bug fixes from recent 5.x PRs:

**From PR #1001 (Fix release readiness issues for 5.x):**

- Fix copy-paste bug in Migrator::shouldDropTables() using $messages['down']
  instead of $messages['missing']
- Fix uninitialized $command property in Migrations.php
- Fix weak equality in Table::saveData() (use !== instead of !=)
- Replace assert() with explicit RuntimeException in BaseSeed for
  production safety
- Fix DumpCommand using non-existent $io->error() method (should be $io->err())
- Replace unsafe addslashes() with proper driver escaping (schemaValue())
  for column comments in MysqlAdapter::getRenameColumnInstructions()

**From PR #1002 (Quote database names in PostgreSQL and SQL Server adapters):**

- PostgresAdapter: Quote database name and charset in createDatabase()
- PostgresAdapter: Quote database name in dropDatabase()
- SqlserverAdapter: Use quoteSchemaName() instead of manual brackets in
  createDatabase() and dropDatabase()
- SqlserverAdapter: Fix SQL injection vulnerability in dropDatabase()

**From PR #1003 (Improve SQL quoting and fix docblock issues):**

- SqlserverAdapter: Use quoteString() for sp_rename parameters in
  getRenameTableInstructions() and getRenameColumnInstructions()
- PostgresAdapter/SqlserverAdapter: Use quoteColumnName() for foreign key
  column definitions instead of hard-coded double quotes
@dereuromark dereuromark mentioned this pull request Jan 20, 2026
Merged
markstory pushed a commit that referenced this pull request Jan 21, 2026
@dereuromark
Backport bug fixes from 5.x branch (#1005)
94500da 
This backports several important bug fixes from recent 5.x PRs:

**From PR #1001 (Fix release readiness issues for 5.x):**

- Fix copy-paste bug in Migrator::shouldDropTables() using $messages['down']
  instead of $messages['missing']
- Fix uninitialized $command property in Migrations.php
- Fix weak equality in Table::saveData() (use !== instead of !=)
- Replace assert() with explicit RuntimeException in BaseSeed for
  production safety
- Fix DumpCommand using non-existent $io->error() method (should be $io->err())
- Replace unsafe addslashes() with proper driver escaping (schemaValue())
  for column comments in MysqlAdapter::getRenameColumnInstructions()

**From PR #1002 (Quote database names in PostgreSQL and SQL Server adapters):**

- PostgresAdapter: Quote database name and charset in createDatabase()
- PostgresAdapter: Quote database name in dropDatabase()
- SqlserverAdapter: Use quoteSchemaName() instead of manual brackets in
  createDatabase() and dropDatabase()
- SqlserverAdapter: Fix SQL injection vulnerability in dropDatabase()

**From PR #1003 (Improve SQL quoting and fix docblock issues):**

- SqlserverAdapter: Use quoteString() for sp_rename parameters in
  getRenameTableInstructions() and getRenameColumnInstructions()
- PostgresAdapter/SqlserverAdapter: Use quoteColumnName() for foreign key
  column definitions instead of hard-coded double quotes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

5.x (CakePHP 5.x, builtin-backend)

Development

Successfully merging this pull request may close these issues.

3 participants

@dereuromark @markstory