From bfbe6a1e9aebaa69ba9c79c546d4d2871e02415c Mon Sep 17 00:00:00 2001
From: Andrew McMillan <andrew@morphoss.com>
Date: Wed, 28 Apr 2010 20:15:37 +1200
Subject: [PATCH] Might as well escape ':' as well.

This avoids the possibility of parameter use inside strings and
then subsequent replacement.
---
 inc/AwlDBDialect.php | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/inc/AwlDBDialect.php b/inc/AwlDBDialect.php
index 0f21701b..fc982029 100644
--- a/inc/AwlDBDialect.php
+++ b/inc/AwlDBDialect.php
@@ -233,7 +233,13 @@ class AwlDBDialect {
         break;
       case PDO::PARAM_STR:
       default:
-        $rv = "'".str_replace("'", "''", str_replace('\\', '\\x5c', $value))."'";
+        /**
+        * PDO handling of \ seems unreliable.  We can't use $$string$$ syntax because it also doesn't
+        * work.  We need to replace ':' so no other named parameters accidentally rewrite the content
+        * inside this string(!), and since we're using ' to delimit the string we need SQL92-compliant
+        * '' to replace it.
+        */
+        $rv = "'".str_replace("'", "''", str_replace(':', '\\x3a', str_replace('\\', '\\x5c', $value)))."'";
 
         if ( $this->dialect == 'pgsql' && strpos( $rv, '\\' ) !== false ) {
           /**
@@ -243,14 +249,6 @@ class AwlDBDialect {
           $rv = 'E'.str_replace('?', '\\x3f', $rv);
         }
 
-      /**
-      * This code fails because on some (unspecified) occasions PHP sees a ':name@' and replaces it with $1!!!
-        $delimiter = '$$';
-        while( strpos($value, $delimiter) !== false ) {
-          $delimiter = sprintf('$%d$'.rand(99999));
-        }
-        $rv = $delimiter . $value . $delimiter;
-      */
     }
 
     return $rv;