Fix SQL binding with $ not presented correctly in full query #1199
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
In
QueryCollector
,preg_replace
is used with a SQL parameterbinding
as thereplacement
variable, where dollar characters followed by an integer from 0–99 are interpreted as references to captures, and not displayed literally.The issue
This causes the displayed query in Debugbar to be incorrect, even though the bindings are correct. See the image below for an example, where the bindings for
firstName
andlastName
are presented incorrectly when displaying the full query.The test included in this PR fails prior to the PR:
I noticed the problem while working with re-hashing passwords, since the bcrypt hash format is
$2y$ROUNDS$SALT_HASH
. I'm guessing this issue hasn't been noticed before since it is not very common in other cases to store$n
values, for instance money is usually stored with the currency separately.Solution
Add
addcslashes($binding, '$')
to escape any dollar signs and present these literally.