function Connection::preprocessStatement
Same name in other branches
- 9 core/lib/Drupal/Core/Database/Connection.php \Drupal\Core\Database\Connection::preprocessStatement()
- 10 core/lib/Drupal/Core/Database/Connection.php \Drupal\Core\Database\Connection::preprocessStatement()
Returns a string SQL statement ready for preparation.
This method replaces table names in curly braces and identifiers in square brackets with platform specific replacements, appropriately escaping them and wrapping them with platform quote characters.
Parameters
string $query: The query string as SQL, with curly braces surrounding the table names, and square brackets surrounding identifiers.
array $options: An associative array of options to control how the query is run. See the documentation for self::defaultOptions() for details.
Return value
string A string SQL statement ready for preparation.
Throws
\InvalidArgumentException If multiple statements are included in the string, and delimiters are not allowed in the query.
2 calls to Connection::preprocessStatement()
- Connection::prepareStatement in core/
modules/ sqlite/ src/ Driver/ Database/ sqlite/ Connection.php - Connection::prepareStatement in core/
lib/ Drupal/ Core/ Database/ Connection.php - Returns a prepared statement given a SQL string.
File
-
core/
lib/ Drupal/ Core/ Database/ Connection.php, line 466
Class
- Connection
- Base Database API class.
Namespace
Drupal\Core\DatabaseCode
protected function preprocessStatement(string $query, array $options) : string {
// To protect against SQL injection, Drupal only supports executing one
// statement at a time. Thus, the presence of a SQL delimiter (the
// semicolon) is not allowed unless the option is set. Allowing semicolons
// should only be needed for special cases like defining a function or
// stored procedure in SQL. Trim any trailing delimiter to minimize false
// positives unless delimiter is allowed.
$trim_chars = " \xa0\t\n\r\x00\v";
if (empty($options['allow_delimiter_in_query'])) {
$trim_chars .= ';';
}
$query = rtrim($query, $trim_chars);
if (str_contains($query, ';') && empty($options['allow_delimiter_in_query'])) {
throw new \InvalidArgumentException('; is not supported in SQL strings. Use only one statement at a time.');
}
// Resolve {tables} and [identifiers] to the platform specific syntax.
$query = $this->prefixTables($query);
if (!($options['allow_square_brackets'] ?? FALSE)) {
$query = $this->quoteIdentifiers($query);
}
return $query;
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.