Skip to content

Commit 79d4cfd

Browse files
janedbaljanedbal
committed
Prevent misuse of DELETE with LIMIT in QueryBuilder
 This fixes a dangerous bug where LIMIT is silently ignored in DELETE operations, potentially causing developers to delete all rows instead of just the intended subset. The setMaxResults() method would be silently omitted from the final query, making operations like delete last entry accidentally delete entire tables.
1 parent 5301b99 commit 79d4cfd

File tree

2 files changed

+25
-0
lines changed

2 files changed

+25
-0
lines changed

src/QueryBuilder.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -547,6 +547,10 @@ public function getFirstResult(): int
547547
*/
548548
public function setMaxResults(int|null $maxResults): static
549549
{
550+
if ($this->type === QueryType::Delete || $this->type === QueryType::Update) {
551+
throw new RuntimeException('Setting a limit is not supported for delete or update queries.');
552+
}
553+
550554
$this->maxResults = $maxResults;
551555

552556
return $this;

tests/Tests/ORM/QueryBuilderTest.php

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
use PHPUnit\Framework\Attributes\Group;
2828
use PHPUnit\Framework\Attributes\WithoutErrorHandler;
2929
use PHPUnit\Framework\TestCase;
30+
use RuntimeException;
3031

3132
use function array_filter;
3233
use function class_exists;
@@ -72,6 +73,26 @@ public function testDeleteSetsType(): void
7273
$this->assertValidQueryBuilder($qb, 'DELETE Doctrine\Tests\Models\CMS\CmsUser u');
7374
}
7475

76+
public function testDeleteWithLimitNotSupported(): void
77+
{
78+
$this->expectException(RuntimeException::class);
79+
$this->expectExceptionMessage('Setting a limit is not supported for delete or update queries.');
80+
81+
$this->entityManager->createQueryBuilder()
82+
->delete(CmsUser::class, 'c')
83+
->setMaxResults(1);
84+
}
85+
86+
public function testUpdateWithLimitNotSupported(): void
87+
{
88+
$this->expectException(RuntimeException::class);
89+
$this->expectExceptionMessage('Setting a limit is not supported for delete or update queries.');
90+
91+
$this->entityManager->createQueryBuilder()
92+
->update(CmsUser::class, 'c')
93+
->setMaxResults(1);
94+
}
95+
7596
public function testUpdateSetsType(): void
7697
{
7798
$qb = $this->entityManager->createQueryBuilder()

0 commit comments

Comments
 (0)