PHP Version
8.4
CodeIgniter4 Version
4.7.0
CodeIgniter4 Installation Method
Composer (using codeigniter4/appstarter)
Which operating systems have you tested for this bug?
Linux
Which server did you use?
fpm-fcgi
Environment
production
Database
MySQL 8.0
What happened?
updateBatch() appears to allow normal Query Builder chaining, but prior where() conditions are not applied in the way a developer would reasonably expect.
This creates a dangerous footgun where code that appears constrained can perform a broader batch update than intended.
Example:
$db->table('form_fields')
->where('form_id', $formId)
->updateBatch($rows, 'id');Steps to Reproduce
Given a table such as:
CREATE TABLE form_fields (
id INT NOT NULL,
form_id INT NOT NULL,
label VARCHAR(255),
PRIMARY KEY (id, form_id)
);And rows:
INSERT INTO form_fields (id, form_id, label) VALUES
(1, 100, 'Form 100 Field 1'),
(1, 200, 'Form 200 Field 1');
Run:
$rows = [
['id' => 1, 'label' => 'Updated Label'],
];
$db->table('form_fields')
->where('form_id', 100)
->updateBatch($rows, 'id');Expected Output
Either:
- updateBatch() should apply the chained where() condition safely, or
- preferably, updateBatch() should throw a DatabaseException when existing where() conditions are present, instructing developers to use the supported batch constraint API.
Expected safety behavior:
// Throw DatabaseException:
updateBatch() cannot be safely combined with existing Query Builder WHERE conditions. Use updateBatch($data, $constraints), onConstraint(), or include all required constraint fields in the batch data.
Anything else?
I am not proposing a broad SQL-generation redesign.
The minimal reliability fix would be to fail loudly when unsupported builder state is present before updateBatch() runs. Silent broad updates are a data-corruption-class failure mode.
Even if this chaining pattern is considered unsupported, the current behavior is dangerous because the fluent Query Builder API makes it look valid.
PHP Version
8.4
CodeIgniter4 Version
4.7.0
CodeIgniter4 Installation Method
Composer (using
codeigniter4/appstarter)Which operating systems have you tested for this bug?
Linux
Which server did you use?
fpm-fcgi
Environment
production
Database
MySQL 8.0
What happened?
updateBatch()appears to allow normal Query Builder chaining, but priorwhere()conditions are not applied in the way a developer would reasonably expect.This creates a dangerous footgun where code that appears constrained can perform a broader batch update than intended.
Example:
Steps to Reproduce
Given a table such as:
And rows:
Run:
Expected Output
Either:
Expected safety behavior:
Anything else?
I am not proposing a broad SQL-generation redesign.
The minimal reliability fix would be to fail loudly when unsupported builder state is present before updateBatch() runs. Silent broad updates are a data-corruption-class failure mode.
Even if this chaining pattern is considered unsupported, the current behavior is dangerous because the fluent Query Builder API makes it look valid.