I think I discovered a problem with the delete wrapper $conds argument.
Database::delete documentation says that $conds maybe string|array, but when string is given, it is also treated with makeList( ..., LIST_AND) -- instead treated as plain database statement (e.g. when $conds is manually constructed as explained in [1])
Database::delete
lines 2714 seq.:
if ( $conds != '*' ) {
$sql .= ' WHERE ' . $this->makeList( $conds, LIST_AND );
}
$conds needs to be tested for string or array before makeList is applied, in my view.
If $conds is a string, then the statement should - in my view - be
$sql .= ' WHERE ' . $conds;
Shouldn't it ?
[1] https://www.mediawiki.org/wiki/Manual:Database_access#Wrapper_function:_select.28.29
"Arguments are either single values (such as 'category' and 'cat_pages > 0') or arrays, if more than one value is passed for an argument position (such as array('cat_pages > 0', $myNextCond)). If you pass in strings, you must manually use DatabaseBase::addQuotes() on your values as you construct the string, as the wrapper will not do this for you. "
Version: 1.22.0
Severity: normal