[5.2] Wrap and escape MySQL JSON path

[sbusch]

Followup to PR #12964

Includes two tests (one related to #12964) to verify correct wrapping/escaping.

[sbusch]

I'd rather use getPdo()->quote() from an associated connection instance instead of custom replacements with str_replace() but the grammar class has no access to the connection apparently.

OTOH is it possible to use prepared statements with bound parameters for the JSON path, like field->?? That would be way better. If MySQL doesn't allow this we could convert to JSON_EXTRACT(column, path) which is equivalent[1] and should allow bound parameters. Unfortunately wrapValue() is unable to inject bound variables.

[1] In MySQL 5.7.9 and later, you can use column->path with a JSON column identifier and JSON path expression as a synonym for JSON_EXTRACT(column, path).

[sbusch]

Just tried: field->? is not allowed, but JSON_EXTRACT() would work.

[taylorotwell]

I guess I don't understand why we are quoting column names? Are people really passing user input directly into their column names?

[GrahamCampbell]

Are people really passing user input directly into their column names?

Well, if someone's not being careful with mass assignment, yes.

[taylorotwell]

I don't really know if this is the correct way to prevent SQL injection. It seems pretty hacky and I don't know why people should be passing user input into their column names. I would rather just document not to allow users to control your column names in your queries.