Make InsertBulkQuery.php faster.

Author: byjg

docs/updating-the-database.md

@@ -1,7 +1,7 @@
 # Updating the Database
 
-Once you have defined the model, (see [Getting Started](getting-started-model.md)) you can start to interact with the database
-and doing queries, updates, and deletes.
+Once you have defined the model, (see [Getting Started](getting-started-model.md)) you can start to
+interact with the database and doing queries, updates, and deletes.
 
 ## Update
 
@@ -27,9 +27,10 @@ $users->name = "New name";
 $repository->save($users);
 ```
 
-## Using the UpdateQuery (Special Cases)
+## Using the UpdateQuery for Multiple Records
 
-In some cases you need to update multiples records at once. See an example:
+UpdateQuery allows you to update multiple records simultaneously with a single query. This is more efficient than
+retrieving and updating individual records one by one when you need to apply the same changes to many records.
 
 ```php
 <?php
@@ -42,7 +43,7 @@ $updateQuery->where('fld1 > :id', ['id' => 10]);
 ```
 
 This code will update the table `test` and set the fields `fld1`, `fld2`, and `fld3` to `A`, `B`, and `C`
-respectively where the `fld1` is greater than 10.
+respectively for all records where `fld1` is greater than 10.
 
 ## Insert records with InsertQuery
 
@@ -91,6 +92,23 @@ $insertBulk->values(['fld1' => 'D', 'fld2' => 'E']);
 $insertBulk->values(['fld1' => 'G', 'fld2' => 'H']);
 ```
 
+By default, InsertBulkQuery uses a faster but less secure approach. To use parameterized queries for
+better security (especially when handling user input), you can enable safe mode:
+
+```php
+<?php
+$insertBulk = new InsertBulkQuery('test', ['fld1', 'fld2']);
+$insertBulk->withSafeParameters(); // Enable safe parameterized queries
+$insertBulk->values(['fld1' => $userInput1, 'fld2' => $userInput2]);
+$insertBulk->values(['fld1' => $userInput3, 'fld2' => $userInput4]);
+```
+
+> **⚠️ Security Warning:** By default, the `InsertBulkQuery` implementation uses direct value embedding with
+> basic escaping rather than parameterized queries. This makes it faster but potentially vulnerable to
+> SQL injection attacks with untrusted data. Use the `withSafeParameters()` method when dealing with
+> user input for better security, although this may reduce performance for large batch operations.
+> For maximum security with user input, consider using the `InsertQuery` for individual inserts.
+
 ## Delete records
 
 You can delete records using the `DeleteQuery` object. See an example:
@@ -100,4 +118,4 @@ You can delete records using the `DeleteQuery` object. See an example:
 $deleteQuery = new \ByJG\MicroOrm\DeleteQuery();
 $deleteQuery->table('test');
 $deleteQuery->where('fld1 = :value', ['value' => 'A']);
-```
+```

src/InsertBulkQuery.php

@@ -5,6 +5,7 @@
 use ByJG\AnyDataset\Db\DbFunctionsInterface;
 use ByJG\MicroOrm\Exception\OrmInvalidFieldsException;
 use ByJG\MicroOrm\Interface\QueryBuilderInterface;
+use ByJG\MicroOrm\Literal\Literal;
 use InvalidArgumentException;
 
 class InsertBulkQuery extends Updatable
@@ -15,6 +16,8 @@ class InsertBulkQuery extends Updatable
 
     protected ?SqlObject $sqlObject = null;
 
+    protected bool $safe = false;
+
     public function __construct(string $table, array $fieldNames)
     {
         $this->table($table);
@@ -30,6 +33,12 @@ public static function getInstance(string $table, array $fieldNames): static
         return new InsertBulkQuery($table, $fieldNames);
     }
 
+    public function withSafeParameters(): static
+    {
+        $this->safe = true;
+        return $this;
+    }
+
     /**
      * @throws OrmInvalidFieldsException
      */
@@ -82,7 +91,15 @@ public function build(DbFunctionsInterface $dbHelper = null): SqlObject
             foreach ($columns as $j => $col) {
                 $paramKey = "p{$i}_$j"; // Generate the parameter key
                 $rowPlaceholders[] = ":$paramKey"; // Add to row placeholders
-                $params[$paramKey] = $this->fields[$col][$i]; // Map parameter key to value
+                if ($this->safe) {
+                    $params[$paramKey] = $this->fields[$col][$i];
+                } else {
+                    $value = str_replace("'", "''", $this->fields[$col][$i]);
+                    if (!is_numeric($value)) {
+                        $value = $dbHelper?->delimiterField($value) ?? "'{$value}'";
+                    }
+                    $params[$paramKey] = new Literal($value); // Map parameter key to value
+                }
             }
             $placeholders[] = '(' . implode(', ', $rowPlaceholders) . ')'; // Add row placeholders to query
         }

tests/InsertBulkQueryTest.php

@@ -3,16 +3,31 @@
 namespace Tests;
 
 use ByJG\MicroOrm\InsertBulkQuery;
+use ByJG\MicroOrm\Literal\Literal;
 use PHPUnit\Framework\TestCase;
 
 class InsertBulkQueryTest extends TestCase
 {
     public function testInsert()
+    {
+        $insertBulk = new InsertBulkQuery('test', ['fld1', 'fld2']);
+        $insertBulk->values(['fld1' => 'A', 'fld2' => 'B']);
+        $insertBulk->values(['fld1' => 'D', 'fld2' => new Literal("E")]);
+        $insertBulk->values(['fld1' => "G'1", 'fld2' => 'H']);
+
+        $sqlObject = $insertBulk->build();
+
+        $this->assertEquals("INSERT INTO test (fld1, fld2) VALUES ('A', 'B'), ('D', 'E'), ('G''1', 'H')", $sqlObject->getSql());
+        $this->assertEquals([], $sqlObject->getParameters());
+    }
+
+    public function testInsertSafe()
     {
         $insertBulk = new InsertBulkQuery('test', ['fld1', 'fld2']);
         $insertBulk->values(['fld1' => 'A', 'fld2' => 'B']);
         $insertBulk->values(['fld1' => 'D', 'fld2' => 'E']);
         $insertBulk->values(['fld1' => 'G', 'fld2' => 'H']);
+        $insertBulk->withSafeParameters();
 
         $sqlObject = $insertBulk->build();
 
@@ -27,6 +42,7 @@ public function testInsert()
         ], $sqlObject->getParameters());
     }
 
+
     public function testInsertDifferentOrder()
     {
         $insertBulk = new InsertBulkQuery('test', ['fld1', 'fld2', 'fld3']);
@@ -36,18 +52,8 @@ public function testInsertDifferentOrder()
 
         $sqlObject = $insertBulk->build();
 
-        $this->assertEquals('INSERT INTO test (fld1, fld2, fld3) VALUES (:p0_0, :p0_1, :p0_2), (:p1_0, :p1_1, :p1_2), (:p2_0, :p2_1, :p2_2)', $sqlObject->getSql());
-        $this->assertEquals([
-            'p0_0' => 'A',
-            'p0_1' => 'B',
-            'p0_2' => 'C',
-            'p1_0' => 'D',
-            'p1_1' => 'E',
-            'p1_2' => 'F',
-            'p2_0' => 'G',
-            'p2_1' => 'H',
-            'p2_2' => 'I',
-        ], $sqlObject->getParameters());
+        $this->assertEquals("INSERT INTO test (fld1, fld2, fld3) VALUES ('A', 'B', 'C'), ('D', 'E', 'F'), ('G', 'H', 'I')", $sqlObject->getSql());
+        $this->assertEquals([], $sqlObject->getParameters());
     }
 
     public function testWrongFieldsValuesCount()

tests/ORMTest.php

@@ -3,8 +3,11 @@
 namespace Tests;
 
 use ByJG\MicroOrm\FieldMapping;
+use ByJG\MicroOrm\Literal\HexUuidLiteral;
+use ByJG\MicroOrm\Literal\Literal;
 use ByJG\MicroOrm\Mapper;
 use ByJG\MicroOrm\ORM;
+use ByJG\MicroOrm\ORMHelper;
 use PHPUnit\Framework\TestCase;
 use Tests\Model\Class1;
 use Tests\Model\Class2;
@@ -121,4 +124,47 @@ public function testGetQuery()
         $query = ORM::getQueryInstance('table2', 'table3');
         $this->assertEquals("SELECT  * FROM table1 INNER JOIN table2 ON table1.id = table2.id_table1 INNER JOIN table3 ON table1.id = table3.id_table1", $query->build()->getSql());
     }
+
+    public function testProcessLiteral()
+    {
+        $query = ORM::getQueryInstance('table1');
+        $query->where('field1 = :value', ['value' => new Literal('upper(field1)')]);
+        $this->assertEquals("SELECT  * FROM table1 WHERE field1 = upper(field1)", $query->build()->getSql());
+
+    }
+
+    public function testProcessHexUuidLiteral()
+    {
+        $query = ORM::getQueryInstance('table1');
+        $query->where('field1 = :value', ['value' => new HexUuidLiteral(hex2bin('01010101010101010101010101010101'))]);
+        $this->assertEquals("SELECT  * FROM table1 WHERE field1 = X'01010101010101010101010101010101'", $query->build()->getSql());
+    }
+
+    public function testProcessLiteralUnsafe()
+    {
+        $query = ORM::getQueryInstance('table1');
+        $query->where('field1 = :value', ['value' => new Literal(10)]);
+
+        $sqlObject = $query->build();
+        $sql = $sqlObject->getSql();
+        $params = $sqlObject->getParameters();
+
+        $sql = ORMHelper::processLiteral($sql, $params);
+        $this->assertEquals("SELECT  * FROM table1 WHERE field1 = 10", $sql);
+    }
+
+    public function testProcessLiteralString()
+    {
+        $query = ORM::getQueryInstance('table1');
+        $query->where('field1 = :value', ['value' => new Literal("'testando'")]);
+        $query->where('field2 = :value2', ['value2' => new Literal("'Joana D''Arc'")]);
+
+        $sqlObject = $query->build();
+        $sql = $sqlObject->getSql();
+        $params = $sqlObject->getParameters();
+
+        $sql = ORMHelper::processLiteral($sql, $params);
+        $this->assertEquals("SELECT  * FROM table1 WHERE field1 = 'testando' AND field2 = 'Joana D''Arc'", $sql);
+        $this->assertEquals([], $params);
+    }
 }