2016.3 SQL language injection broken by HTML tag literal
I have lots of SQL in my code and PHPStorm parses it nicely via a language injection. But sometimes this breaks since 2016.3 update. Eg:
$sql = "SELECT first, last FROM contact"; //works
$sql = "SELECT first, last, CONCAT(first, ' ', last) AS full_name FROM contact"; //works
$sql = "SELECT first, last, CONCAT(first, '<br />', last) AS full_name FROM contact"; //worked in 2016.2, broken in 2016.3
Oddly it seems specifically both < and > are required to break this; ie
$sql = "SELECT first, last, CONCAT(first, '<br>', last) AS full_name FROM contact"; //no closing slash still broken
$sql = "SELECT first, last, CONCAT(first, '<br<', last) AS full_name FROM contact"; //works
$sql = "SELECT first, last, CONCAT(first, '>br>', last) AS full_name FROM contact"; //works
$sql = "SELECT first, last, CONCAT(first, '>br<', last) AS full_name FROM contact"; //works
Have gone to Settings > Editor > Language injections and looked at the relevant one - but can't figure out what in there may cause the behaviour. Any ideas much appreciated...
Please sign in to leave a comment.
Hi there,
No idea how it worked in the past .. but right now it looks like it may take sorting order into consideration -- the first matching rule will decide what injection to use (although there are no sorting buttons for user to put one rule before another).
Possible solutions (until (and if -- maybe it's intended new behaviour) this will be fixed) -- they require small code altering:
1. Add custom PHPDoc comment where you can specify what language should be injected here
2. (my personal choice) -- use HEREDOC/NOWDOC with correct labels for such constructs -- reliable and easy to read (no need for extra comments -- use language-provided functionality)
Hi Andriy
Many thanks for the reply, much appreciated. I was completely missing the obvious point, that the HTML tag was causing the HTML language injection to hijack the SQL one! As you say, there seems no control of precedence.
Luckily I rarely use long HTML literals so have just turned off that particular injection and things are working as expected. But concur that HEREDOC is a better way, so will try to do that from now on.