You are here

Home » API reference » Drupal 9 » Connection.php » Connection

protected function Connection::preprocessStatement in Drupal 9

Returns a string SQL statement ready for preparation.

This method replaces table names in curly braces and identifiers in square brackets with platform specific replacements, appropriately escaping them and wrapping them with platform quote characters.

Parameters

string $query: The query string as SQL, with curly braces surrounding the table names, and square brackets surrounding identifiers.

array $options: An associative array of options to control how the query is run. See the documentation for self::defaultOptions() for details.

Return value

string A string SQL statement ready for preparation.

Throws

\InvalidArgumentException If multiple statements are included in the string, and delimiters are not allowed in the query.

2 calls to Connection::preprocessStatement()
Connection::prepareStatement in core/lib/Drupal/Core/Database/Connection.php
Returns a prepared statement given a SQL string.
Connection::prepareStatement in core/lib/Drupal/Core/Database/Driver/sqlite/Connection.php
Returns a prepared statement given a SQL string.

File

core/lib/Drupal/Core/Database/Connection.php, line 640

Class

Connection
Base Database API class.

Namespace

Drupal\Core\Database

Code

protected function preprocessStatement(string $query, array $options) : string {

  // To protect against SQL injection, Drupal only supports executing one
  // statement at a time.  Thus, the presence of a SQL delimiter (the
  // semicolon) is not allowed unless the option is set.  Allowing semicolons
  // should only be needed for special cases like defining a function or
  // stored procedure in SQL. Trim any trailing delimiter to minimize false
  // positives unless delimiter is allowed.
  $trim_chars = "";
  if (empty($options['allow_delimiter_in_query'])) {
    $trim_chars .= ';';
  }
  $query = rtrim($query, $trim_chars);
  if (strpos($query, ';') !== FALSE && empty($options['allow_delimiter_in_query'])) {
    throw new \InvalidArgumentException('; is not supported in SQL strings. Use only one statement at a time.');
  }

  // Resolve {tables} and [identifiers] to the platform specific syntax.
  $query = $this
    ->prefixTables($query);
  if (!($options['allow_square_brackets'] ?? FALSE)) {
    $query = $this
      ->quoteIdentifiers($query);
  }
  return $query;
}