Skip to content

Commit b0cfaff

Browse files
kamshorykamshory
committed
Update PicoDatabaseQueryBuilder.php
1 parent 2341cf5 commit b0cfaff

File tree

1 file changed

+30
-12
lines changed

1 file changed

+30
-12
lines changed

src/Database/PicoDatabaseQueryBuilder.php

Lines changed: 30 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -691,23 +691,41 @@ public function rollback()
691691
}
692692

693693
/**
694-
* Escapes a raw SQL query string to be safely used in an SQL statement,
695-
* including handling of single quotes, backslashes, and line breaks,
696-
* based on the active database type.
694+
* Escapes a raw SQL string value so it can be safely embedded inside
695+
* an SQL statement according to the active database dialect.
697696
*
698-
* This function does **not** quote the entire string with `'` — it is intended
699-
* for use in building safe query fragments or inline strings.
697+
* This method performs **SQL literal escaping only** and does NOT:
698+
* - Add surrounding quotes (`'...'`)
699+
* - Escape or transform newline characters (`\n`, `\r`)
700+
* - Replace or normalize whitespace
701+
*
702+
* Newline characters are preserved as-is and stored correctly
703+
* in the database. This avoids issues where line breaks would be
704+
* converted into literal `\n` sequences.
700705
*
701706
* Behavior per database:
702-
* - MySQL/MariaDB: Escapes `'` as `\'` and `\` as `\\`
703-
* - PostgreSQL : Escapes `'` as `''` and `\` as `\\` (assumes use with E'' literals)
704-
* - SQLite : Escapes `'` as `''`; backslash is literal
705-
* - SQL Server : Escapes `'` as `''`; backslash is literal
707+
* - MySQL / MariaDB:
708+
* - Escapes single quote `'` as `\'`
709+
* - Escapes backslash `\` as `\\`
710+
*
711+
* - PostgreSQL:
712+
* - Escapes single quote `'` as `''`
713+
* - Escapes backslash `\` as `\\`
714+
* - Intended for standard string literals (NOT E'' unless handled externally)
715+
*
716+
* - SQLite:
717+
* - Escapes single quote `'` as `''`
718+
* - Backslash is treated as a literal character
719+
*
720+
* - SQL Server:
721+
* - Escapes single quote `'` as `''`
722+
* - Backslash is treated as a literal character
706723
*
707-
* All RDBMS: Converts `\r` and `\n` into `\\r` and `\\n`
724+
* @param string $query
725+
* Raw SQL string value to escape.
708726
*
709-
* @param string $query The raw SQL string to be escaped.
710-
* @return string The escaped SQL string, safe for inclusion in SQL statements.
727+
* @return string
728+
* Escaped SQL string safe for inclusion inside a quoted SQL literal.
711729
*/
712730
public function escapeSQL($query) // NOSONAR
713731
{

0 commit comments

Comments
 (0)