Skip to content

QueryBuilder: prevent misuse of DELETE with LIMIT #12068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
greg0ire merged 1 commit into from
Jul 12, 2025
Merged

QueryBuilder: prevent misuse of DELETE with LIMIT #12068

greg0ire merged 1 commit into from
Jul 12, 2025

Conversation

@janedbal
Copy link
Contributor

@janedbal janedbal commented Jul 10, 2025
edited
Loading

Imagine you want to delete just last entry, but all your rows disappear:

$this->entityManager->createQueryBuilder()
            ->delete(MyEntity::class, 'e')
            ->orderBy('e.createdAt', 'ASC')
            ->setMaxResults(1); // limit ignored silently

I believe Doctrine should protect developers from doing destructive operations by not silently omitting crucial part of query builder (LIMIT, although named setMaxResults).

greg0ire
greg0ire reviewed Jul 10, 2025
View reviewed changes
greg0ire
greg0ire reviewed Jul 10, 2025
View reviewed changes
@janedbal
Prevent misuse of DELETE with LIMIT in QueryBuilder
79d4cfd 
      This fixes a dangerous bug where LIMIT is silently ignored in DELETE
      operations, potentially causing developers to delete all rows instead
      of just the intended subset. The setMaxResults() method would be
      silently omitted from the final query, making operations like
      delete last entry accidentally delete entire tables.
@janedbal janedbal force-pushed the prevent-delete-limit-misuse branch from 06ce8b0 to 79d4cfd Compare July 10, 2025 15:31
@greg0ire greg0ire added this to the 3.6.0 milestone Jul 12, 2025
@greg0ire greg0ire merged commit d583460 into doctrine:3.6.x Jul 12, 2025
85 checks passed
@greg0ire
Copy link
Member

greg0ire commented Jul 12, 2025

Thanks @janedbal !

@greg0ire greg0ire mentioned this pull request Aug 30, 2025
Open
@github-actions github-actions bot mentioned this pull request Dec 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greg0ire greg0ire greg0ire approved these changes

@SenseException SenseException SenseException approved these changes

@derrabus derrabus Awaiting requested review from derrabus

Assignees

No one assigned

Labels

Improvement

Projects

None yet

Milestone

3.6.0

Development

Successfully merging this pull request may close these issues.

3 participants

@janedbal @greg0ire @SenseException