Escape LIKE metacharacters

[greg0ire]

There seems to be a lack of tools to fight against wildcard attacks, or to simply provide a way to let your users search for strings that include metacharacters

todo

• add a functional test to make sure valid SQL expressions are built by means of the new API.
• allow specifying an escape character in the expression builder like and notLike methods.
• implement getWildcardCharacters for RDBMSs that have more than the default wildcard characters.

[Taluu]

$untrustedString ?

[Taluu]

: string and : iterable ?

[greg0ire]

Please tell me if you're fine with the feature, the naming, and I should add implementations, docs and tests.

[morozov]

@greg0ire I have a feeling that in most supported DB platforms, escaping wildcard characters works almost the same.

Instead of introducing new abstract methods which is a breaking change, can you introduce default implementations for them?

[morozov]

The escape character itself should also be always escaped. Does this approach account for getLikeMetaCharacters() always returning getLikeEscapeChar() or escapeStringForLike() should handle that itself?

[greg0ire]

I think the best is to let escapeStringForLike handle it, and I could rename "meta" to "wildcard", what do you think?

[morozov]

Agree on both.

[morozov]

This is not about trust. The input is an arbitrary string with no meaning while the output is a LIKE expression.

[greg0ire]

It could indeed come from a trusted source and still need to be escaped because you genuinely want to search for that 👍

[greg0ire]

"Funny" thing: In MS SQL, the escape character has to be picked by the user and has no default: https://docs.microsoft.com/en-us/sql/t-sql/language-elements/like-transact-sql
I think this means any char would do.

[morozov]

Funny thing: In MS SQL, the escape character has to be picked by the user and has no default: https://docs.microsoft.com/en-us/sql/t-sql/language-elements/like-transact-sql

In my personal experience, it defaults to ! same as in other databases.

-- Syntax for SQL Server and Azure SQL Database

match_expression [ NOT ] LIKE pattern [ ESCAPE escape_character ]

Why is then the ESCAPE part optional?

[greg0ire]

Why is then the ESCAPE part optional?

Probably because you don't always need to escape characters

[greg0ire]

For PostgreSQL and MySQL, you can specify an escape char too, but it defaults to backslash

[morozov]

Also IIRC, in IBM DB2 there's also a different default escape character. Probably, we need to gather escaping examples for all DBs and then see if the ESCAPE part can be avoided by using the default escape character for the current platform. Otherwise, it may turn out that just escaping the string may be insufficient and the API will need to look somehow differently.

[greg0ire]

MySQL sounds like a lot of fun:

 Because MySQL uses C escape syntax in strings (for example, \n to represent a newline character), you must double any \ that you use in LIKE strings. For example, to search for \n, specify it as \\n. To search for \, specify it as \\\\; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.

Exception: At the end of the pattern string, backslash can be specified as \\. At the end of the string, backslash stands for itself because there is nothing following to escape. Suppose that a table contains the following values: 

[greg0ire]

Also IIRC, in IBM DB2 there's also a different default escape character. Probably, we need to gather escaping examples for all DBs and then see if the ESCAPE part can be avoided by using the default escape character for the current platform. Otherwise, it may turn out that just escaping the string may be insufficient and the API will need to look somehow differently.

Well the only one which seems problematic to me is MS SQL, because it seems you have to append ESCAPE somechar and escape with that char to get it to work. A solution could be to pick some random char and always use ESCAPE no matter what but that would imply all systems have that escape char specification capability.

[greg0ire]

Ok so let's start the gathering

Platform	Escape sequence
PostgreSQL	\
MySQL	\
SQLite	\
MS SQL	none
DB2	none
Oracle	none
SQL Anywhere	none

[greg0ire]

the API will need to look somehow differently.

That's right, I think an optional $escapeChar argument could be added to escapeStringForLike, and let the user be responsible for specifying it again when provided whatever they want to the like() method of the expression builder.

[morozov]

That's right, I think an optional $escapeChar argument could be added to escapeStringForLike

It should be either mandatory or not configurable at all and accessible in a read-only mode (e.g. const ESCAPE_CHAR = '!').

If mandatory, the caller will always manually pass the character of choice to the escaping function and add it to ESCAPE. If read-only, the caller will always take its value and also add it to ESCAPE.

Otherwise, the caller doesn't know if it's needed for a given string and platform and what to pass to ESCAPE and if it's needed at all.

[greg0ire]

I think the mandatory parameter might be best: it offers the most control, and it acts as a better reminder since people not knowing what to specify will read the phpdoc, where I can document that they need to also add ESCAPE

[greg0ire]

Tell me if I should allow them instead, or even remove that check and let the RDBMS deal with that.

[morozov]

I'd say the DB should decide what's valid and what's not. Even if it's known that it should be one character for all supported platforms, there may exist other platform-specific limitations which we'll not be able to cover. Let's not even try.

[morozov]

I'd also add a functional test to make sure valid SQL expressions are built by means of the new API.

[morozov]

Could you add the underscore here as well?

[morozov]

The "properly" part seems redundant. It's implied that the test will only pass if the API is implemented properly.

[morozov]

If it's not enforced by the API, I'd omit the "should be exactly one character long" part. It's still a DB abstraction layer where all DB limitations are implied but don't necessarily have to be called out. The rest is valid.

[morozov]

Not sure if it's outside of the scope but maybe the QueryBuilderExpressionBuilder should be able to build the [NOT] LIKE ? ESCAPE ? expression to encapsulate the SQL syntax. In that case, the client-side code might look like:

$pattern = $platform->escapeStringForLike($input, '!') . '%';
$builder->like($pattern, '!');

The builder, in turn, may or may not append the ESCAPE part the expression depending on whether the escape character or wildcard characters are found in the pattern (for sake of compactness).

Looks a bit complicated but I can't see a simpler approach.

[greg0ire]

@Majkl578 @morozov I switched to preg + implode, please review again, and agree on something :P

[Majkl578]

I don't really care which way it is, but array doesn't give any guarantees about chars or even string[] rather than arbitrary mixed[]. I can technically do:

protected function getLikeWildcardCharacters() : array
{
    return [$this];
}

And there will be lots of dragons. 🐲

That's why I proposed using simple string instead of array.

[morozov]

Agree, let’s revert to the string. It makes more sense with the regexp approach.

[greg0ire]

Agreement! Great, let's do this!

[Ocramius]

Classy 💩

[greg0ire]

IKR?

[Ocramius]

LGTM 👍

[Ocramius]

Agree, let’s revert to the string. It makes more sense with the regexp approach.

Not needed: string[] is a sufficient documentation for subclasses/implementors. In addition to that, there is no guarantee that the wildcard is a single char (although I do really hope that's the case everywhere :-P)

[Ocramius]

Oh well, I see it's done anyway. Waiting for CI, then 🚢

[greg0ire]

Ready to 🚢

[Ocramius]

👍