From 252397d8d1bd518af50b3064818642565783ec7e Mon Sep 17 00:00:00 2001 From: Nicola Fontana Date: Tue, 26 Feb 2019 21:47:12 +0100 Subject: [PATCH] Fix #8829: mention get_one does not escape field names --- src/ORM/DataObject.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ORM/DataObject.php b/src/ORM/DataObject.php index 2d6931ec0..ab41e0388 100644 --- a/src/ORM/DataObject.php +++ b/src/ORM/DataObject.php @@ -3154,9 +3154,14 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity * Return the first item matching the given query. * All calls to get_one() are cached. * + * The filter argument supports parameterised queries (see SQLSelect::addWhere() for syntax examples). Because + * of that (and differently from e.g. DataList::filter()) you need to manually escape the field names: + * + * $member = DataObject::get_one('Member', [ '"FirstName"' => 'John' ]); + * + * * @param string $callerClass The class of objects to be returned * @param string|array $filter A filter to be inserted into the WHERE clause. - * Supports parameterised queries. See SQLSelect::addWhere() for syntax examples. * @param boolean $cache Use caching * @param string $orderby A sort expression to be inserted into the ORDER BY clause. *