nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-28 03:04:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Might as well escape ':' as well.

Browse Source 
This avoids the possibility of parameter use inside strings and
then subsequent replacement.
This commit is contained in:
Andrew McMillan 2010-04-28 20:15:37 +12:00
parent cc3e80ffec
commit bfbe6a1e9a
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
inc/AwlDBDialect.php
View File

@ -233,7 +233,13 @@ class AwlDBDialect {
break;
case PDO::PARAM_STR:
default:
$rv = "'".str_replace("'", "''", str_replace('\\', '\\x5c', $value))."'";
/**
* PDO handling of \ seems unreliable. We can't use $$string$$ syntax because it also doesn't
* work. We need to replace ':' so no other named parameters accidentally rewrite the content
* inside this string(!), and since we're using ' to delimit the string we need SQL92-compliant
* '' to replace it.
*/
$rv = "'".str_replace("'", "''", str_replace(':', '\\x3a', str_replace('\\', '\\x5c', $value)))."'";
if ( $this->dialect == 'pgsql' && strpos( $rv, '\\' ) !== false ) {
/**
@ -243,14 +249,6 @@ class AwlDBDialect {
$rv = 'E'.str_replace('?', '\\x3f', $rv);
}
/**
* This code fails because on some (unspecified) occasions PHP sees a ':name@' and replaces it with $1!!!
$delimiter = '$$';
while( strpos($value, $delimiter) !== false ) {
$delimiter = sprintf('$%d$'.rand(99999));
}
$rv = $delimiter . $value . $delimiter;
*/
}
return $rv;