fix: handling binary data for prepared statement (#9337)

* fix prepare statement sqlite

* fix prepare statement postgre

* fix prepare statement sqlsrv

* fix prepare statement oci8

* tests

* abstract isBinary() method

* fix prepare statement mysqli

* fix prepare statement oci8

* sqlsrv blob support

* fix tests

* add changelog

* fix rector

* make sqlsrv happy

* make oci8 happy - hopefully

* add a note about options for prepared statement

* ignore PreparedQueryTest.php file

* apply code suggestion for oci8

Author: michalsn

.php-cs-fixer.tests.php

@@ -26,6 +26,7 @@
         '_support/View/Cells/multiplier.php',
         '_support/View/Cells/colors.php',
         '_support/View/Cells/addition.php',
+        'system/Database/Live/PreparedQueryTest.php',
     ])
     ->notName('#Foobar.php$#');
 

system/Database/BasePreparedQuery.php

@@ -259,4 +259,12 @@ public function getErrorMessage(): string
     {
         return $this->errorString;
     }
+
+    /**
+     * Whether the input contain binary data.
+     */
+    protected function isBinary(string $input): bool
+    {
+        return mb_detect_encoding($input, 'UTF-8', true) === false;
+    }
 }

system/Database/MySQLi/PreparedQuery.php

@@ -66,15 +66,19 @@ public function _execute(array $data): bool
             throw new BadMethodCallException('You must call prepare before trying to execute a prepared statement.');
         }
 
-        // First off -bind the parameters
-        $bindTypes = '';
+        // First off - bind the parameters
+        $bindTypes  = '';
+        $binaryData = [];
 
         // Determine the type string
-        foreach ($data as $item) {
+        foreach ($data as $key => $item) {
             if (is_int($item)) {
                 $bindTypes .= 'i';
             } elseif (is_numeric($item)) {
                 $bindTypes .= 'd';
+            } elseif (is_string($item) && $this->isBinary($item)) {
+                $bindTypes .= 'b';
+                $binaryData[$key] = $item;
             } else {
                 $bindTypes .= 's';
             }
@@ -83,6 +87,11 @@ public function _execute(array $data): bool
         // Bind it
         $this->statement->bind_param($bindTypes, ...$data);
 
+        // Stream binary data
+        foreach ($binaryData as $key => $value) {
+            $this->statement->send_long_data($key, $value);
+        }
+
         try {
             return $this->statement->execute();
         } catch (mysqli_sql_exception $e) {

system/Database/OCI8/PreparedQuery.php

@@ -16,6 +16,7 @@
 use BadMethodCallException;
 use CodeIgniter\Database\BasePreparedQuery;
 use CodeIgniter\Database\Exceptions\DatabaseException;
+use OCILob;
 
 /**
  * Prepared query for OCI8
@@ -73,12 +74,24 @@ public function _execute(array $data): bool
             throw new BadMethodCallException('You must call prepare before trying to execute a prepared statement.');
         }
 
+        $binaryData = null;
+
         foreach (array_keys($data) as $key) {
-            oci_bind_by_name($this->statement, ':' . $key, $data[$key]);
+            if (is_string($data[$key]) && $this->isBinary($data[$key])) {
+                $binaryData = oci_new_descriptor($this->db->connID, OCI_D_LOB);
+                $binaryData->writeTemporary($data[$key], OCI_TEMP_BLOB);
+                oci_bind_by_name($this->statement, ':' . $key, $binaryData, -1, OCI_B_BLOB);
+            } else {
+                oci_bind_by_name($this->statement, ':' . $key, $data[$key]);
+            }
         }
 
         $result = oci_execute($this->statement, $this->db->commitMode);
 
+        if ($binaryData instanceof OCILob) {
+            $binaryData->free();
+        }
+
         if ($result && $this->lastInsertTableName !== '') {
             $this->db->lastInsertedTableName = $this->lastInsertTableName;
         }

system/Database/Postgre/Forge.php

@@ -173,6 +173,10 @@ protected function _attributeType(array &$attributes)
                 $attributes['TYPE'] = 'TIMESTAMP';
                 break;
 
+            case 'BLOB':
+                $attributes['TYPE'] = 'BYTEA';
+                break;
+
             default:
                 break;
         }

system/Database/Postgre/PreparedQuery.php

@@ -87,6 +87,12 @@ public function _execute(array $data): bool
             throw new BadMethodCallException('You must call prepare before trying to execute a prepared statement.');
         }
 
+        foreach ($data as &$item) {
+            if (is_string($item) && $this->isBinary($item)) {
+                $item = pg_escape_bytea($this->db->connID, $item);
+            }
+        }
+
         $this->result = pg_execute($this->db->connID, $this->name, $data);
 
         return (bool) $this->result;

system/Database/SQLSRV/Connection.php

@@ -368,7 +368,11 @@ protected function _fieldData(string $table): array
 
             $retVal[$i]->max_length = $query[$i]->CHARACTER_MAXIMUM_LENGTH > 0
                 ? $query[$i]->CHARACTER_MAXIMUM_LENGTH
-                : $query[$i]->NUMERIC_PRECISION;
+                : (
+                    $query[$i]->CHARACTER_MAXIMUM_LENGTH === -1
+                    ? 'max'
+                    : $query[$i]->NUMERIC_PRECISION
+                );
 
             $retVal[$i]->nullable = $query[$i]->IS_NULLABLE !== 'NO';
             $retVal[$i]->default  = $query[$i]->COLUMN_DEFAULT;

system/Database/SQLSRV/Forge.php

@@ -397,6 +397,11 @@ protected function _attributeType(array &$attributes)
                 $attributes['TYPE'] = 'BIT';
                 break;
 
+            case 'BLOB':
+                $attributes['TYPE'] = 'VARBINARY';
+                $attributes['CONSTRAINT'] ??= 'MAX';
+                break;
+
             default:
                 break;
         }

system/Database/SQLSRV/PreparedQuery.php

@@ -59,7 +59,7 @@ public function _prepare(string $sql, array $options = []): PreparedQuery
         // Prepare parameters for the query
         $queryString = $this->getQueryString();
 
-        $parameters = $this->parameterize($queryString);
+        $parameters = $this->parameterize($queryString, $options);
 
         // Prepare the query
         $this->statement = sqlsrv_prepare($this->db->connID, $sql, $parameters);
@@ -120,16 +120,22 @@ protected function _close(): bool
 
     /**
      * Handle parameters.
+     *
+     * @param array<int, mixed> $options
      */
-    protected function parameterize(string $queryString): array
+    protected function parameterize(string $queryString, array $options): array
     {
         $numberOfVariables = substr_count($queryString, '?');
 
         $params = [];
 
         for ($c = 0; $c < $numberOfVariables; $c++) {
             $this->parameters[$c] = null;
-            $params[]             = &$this->parameters[$c];
+            if (isset($options[$c])) {
+                $params[] = [&$this->parameters[$c], SQLSRV_PARAM_IN, $options[$c]];
+            } else {
+                $params[] = &$this->parameters[$c];
+            }
         }
 
         return $params;

system/Database/SQLite3/PreparedQuery.php

@@ -75,6 +75,8 @@ public function _execute(array $data): bool
                 $bindType = SQLITE3_INTEGER;
             } elseif (is_float($item)) {
                 $bindType = SQLITE3_FLOAT;
+            } elseif (is_string($item) && $this->isBinary($item)) {
+                $bindType = SQLITE3_BLOB;
             } else {
                 $bindType = SQLITE3_TEXT;
             }