Use prepared statements in more places (#810)

* Use prepared statements in more places. I found a few more queries that can use prepared statements instead of sprintf() as much. * Make template handle primary keys better. * Update baseline phpstan wants a more generic function that isn't actually required
cakephp · Feb 4, 2025 · c51b516 · c51b516
1 parent d5b5189
commit c51b516
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 14 deletions.
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -90,6 +90,12 @@ parameters:
 			count: 1
 			path: src/Db/Adapter/MysqlAdapter.php
 
+		-
+			message: '#^Parameter \#1 \$callback of function array_map expects \(callable\(int\|string\)\: mixed\)\|null, Closure\(string\)\: string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/Db/Adapter/PdoAdapter.php
+
 		-
 			message: '#^Right side of && is always true\.$#'
 			identifier: booleanAnd.rightAlwaysTrue

diff --git a/psalm-baseline.xml b/psalm-baseline.xml
@@ -117,6 +117,12 @@
     </DeprecatedMethod>
   </file>
   <file src="src/Db/Adapter/MysqlAdapter.php">
+    <DeprecatedMethod>
+      <code><![CDATA[describeColumnSql]]></code>
+      <code><![CDATA[describeForeignKeySql]]></code>
+      <code><![CDATA[describeIndexSql]]></code>
+      <code><![CDATA[listTablesSql]]></code>
+    </DeprecatedMethod>
     <RedundantCondition>
       <code><![CDATA[$opened]]></code>
       <code><![CDATA[is_array($newColumns)]]></code>
@@ -127,7 +133,24 @@
       <code><![CDATA[getQueryBuilder]]></code>
     </DeprecatedMethod>
   </file>
+  <file src="src/Db/Adapter/PostgresAdapter.php">
+    <DeprecatedMethod>
+      <code><![CDATA[describeIndexSql]]></code>
+      <code><![CDATA[listTablesSql]]></code>
+    </DeprecatedMethod>
+  </file>
+  <file src="src/Db/Adapter/SqliteAdapter.php">
+    <DeprecatedMethod>
+      <code><![CDATA[describeColumnSql]]></code>
+      <code><![CDATA[describeIndexSql]]></code>
+    </DeprecatedMethod>
+  </file>
   <file src="src/Db/Adapter/SqlserverAdapter.php">
+    <DeprecatedMethod>
+      <code><![CDATA[describeForeignKeySql]]></code>
+      <code><![CDATA[describeIndexSql]]></code>
+      <code><![CDATA[listTablesSql]]></code>
+    </DeprecatedMethod>
     <ImplementedReturnTypeMismatch>
       <code><![CDATA[\Phinx\Db\Adapter\AdapterInterface]]></code>
     </ImplementedReturnTypeMismatch>

diff --git a/src/Db/Adapter/PdoAdapter.php b/src/Db/Adapter/PdoAdapter.php
@@ -370,7 +370,7 @@ public function insert(Table $table, array $row): void
             $this->quoteTableName($table->getName())
         );
         $columns = array_keys($row);
-        $sql .= '(' . implode(', ', array_map([$this, 'quoteColumnName'], $columns)) . ')';
+        $sql .= '(' . implode(', ', array_map($this->quoteColumnName(...), $columns)) . ')';
 
         foreach ($row as $column => $value) {
             if (is_bool($value)) {
@@ -379,7 +379,7 @@ public function insert(Table $table, array $row): void
         }
 
         if ($this->isDryRunEnabled()) {
-            $sql .= ' VALUES (' . implode(', ', array_map([$this, 'quoteValue'], $row)) . ');';
+            $sql .= ' VALUES (' . implode(', ', array_map($this->quoteValue(...), $row)) . ');';
             $this->io->out($sql);
         } else {
             $values = [];
@@ -453,12 +453,11 @@ public function bulkinsert(Table $table, array $rows): void
         $current = current($rows);
         $keys = array_keys($current);
 
-        $callback = fn ($key) => $this->quoteColumnName($key);
-        $sql .= '(' . implode(', ', array_map($callback, $keys)) . ') VALUES ';
+        $sql .= '(' . implode(', ', array_map($this->quoteColumnName(...), $keys)) . ') VALUES ';
 
         if ($this->isDryRunEnabled()) {
             $values = array_map(function ($row) {
-                return '(' . implode(', ', array_map([$this, 'quoteValue'], $row)) . ')';
+                return '(' . implode(', ', array_map($this->quoteValue(...), $row)) . ')';
             }, $rows);
             $sql .= implode(', ', $values) . ';';
             $this->io->out($sql);

diff --git a/src/Db/Adapter/PostgresAdapter.php b/src/Db/Adapter/PostgresAdapter.php
@@ -321,13 +321,15 @@ public function getColumns(string $tableName): array
              datetime_precision
              %s
              FROM information_schema.columns
-             WHERE table_schema = %s AND table_name = %s
+             WHERE table_schema = ? AND table_name = ?
              ORDER BY ordinal_position',
             $this->useIdentity ? ', identity_generation' : '',
-            $this->quoteString($parts['schema']),
-            $this->quoteString($parts['table'])
         );
-        $columnsInfo = $this->fetchAll($sql);
+        $params = [
+            $parts['schema'],
+            $parts['table'],
+        ];
+        $columnsInfo = $this->query($sql, $params)->fetchAll('assoc');
         foreach ($columnsInfo as $columnInfo) {
             $isUserDefined = strtoupper(trim($columnInfo['data_type'])) === 'USER-DEFINED';
 

diff --git a/src/Db/Adapter/SqliteAdapter.php b/src/Db/Adapter/SqliteAdapter.php
@@ -442,12 +442,11 @@ public function truncateTable(string $tableName): void
 
         // assuming no error occurred, reset the autoincrement (if any)
         if ($this->hasTable($info['schema'] . '.sqlite_sequence')) {
-            $this->execute(sprintf(
-                'DELETE FROM %s.%s where name  = %s',
+            $sql = sprintf(
+                'DELETE FROM %s.sqlite_sequence where name = ?',
                 $this->quoteColumnName($info['schema']),
-                'sqlite_sequence',
-                $this->quoteString($info['table'])
-            ));
+            );
+            $this->execute($sql, [$info['table']]);
         }
     }