Skip to content

Commit

Permalink
Escape sprintf % chars in queries
Browse files Browse the repository at this point in the history 
Thanks m92o
  • Loading branch information
@m92o @treffynnon
m92o authored and treffynnon committed Nov 8, 2012
1 parent 6ad8dc1 commit 84bd58f
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
3 changes: 3 additions & 0 deletions idiorm.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,9 @@ protected static function _log_query($query, $parameters) {
// Escape the parameters
$parameters = array_map(array(self::$_db, 'quote'), $parameters);

// Avoid %format collision for vsprintf
$query = str_replace("%", "%%", $query);

// Replace placeholders in the query for vsprintf
$query = str_replace("?", "%s", $query);

Expand Down
4 changes: 4 additions & 0 deletions test/test_queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,10 @@
$expected = "SELECT * FROM `widget` WHERE `name` = 'Fred' AND (`age` = '5' OR `age` = '10')";
Tester::check_equal("Raw WHERE clause", $expected);

ORM::for_table('widget')->where_raw('STRFTIME("%Y", "now") = ?', array(2012))->find_many();
$expected = "SELECT * FROM `widget` WHERE STRFTIME(\"%Y\", \"now\") = '2012'";
Tester::check_equal("Raw WHERE clause with '%'", $expected);

ORM::for_table('widget')->where_raw('`name` = "Fred"')->find_many();
$expected = "SELECT * FROM `widget` WHERE `name` = \"Fred\"";
Tester::check_equal("Raw WHERE clause with no parameters", $expected);
Expand Down

0 comments on commit 84bd58f

Please sign in to comment.