After upgrade from 2.7.0 to 2.8.0 :
When joining tables in a Select
object, the buildSqlString()
method includes all columns from joined tables (SQL_STAR) although they should be discarded by the third param in the Select::join($name, $on, $columns = self::SQL_STAR, $type = self::JOIN_INNER)
method.
This bug may lead to really poor performance after upgrade as joined tables are often used to filter results or even worse disclosing information in case the query is used to generate data (api). This probably may be marked as security bugfix as well.
This bug have been tested with php 5.6.20 / 7, Mysql, Oracle, Sql92 platforms.
Take a look at this example
(notice the $columns=[] param in the join() method and see also the columns()):
$select = new \Zend\Db\Sql\Select();
$select->from('my_table')
->join('joined_table', 'my_table.id = joined_table.id', $columns=[])
->columns([
'my_table_column',
]);
$sql_string = $this->sql->buildSqlString($select, $this->getAdapterForPlatform('Sql92'));
On 2.7.0 and before the resulting query string is correctly only producing one column:
SELECT
"my_table"."my_table_column" AS "my_table_column",
FROM "my_table"
INNER JOIN "joined_table" ON "my_table"."id" = "joined_table"."id"
After update to 2.8.0, the resulting query string incorrectly add all columns from the joined table. Take a look on the third line (joined_table.*)
SELECT
"my_table"."my_table_column" AS "my_table_column",
"joined_table".*
FROM "my_table"
INNER JOIN "joined_table" ON "my_table"."id" = "joined_table"."id"
I'm currently looking to provide a P/R and add some specs into the SqlFunctionnalTests. Feel free to help.