Throw Exception for invalid PDO param name

Author: ezimuel

src/Adapter/Driver/Pdo/Pdo.php

@@ -304,6 +304,14 @@ public function getPrepareType()
     public function formatParameterName($name, $type = null)
     {
         if ($type === null && ! is_numeric($name) || $type == self::PARAMETERIZATION_NAMED) {
+            // @see https://bugs.php.net/bug.php?id=43130
+            if (preg_match('/[^a-zA-Z0-9_]/', $name)) {
+                throw new Exception\RuntimeException(sprintf(
+                    "The PDO param %s contains characters not allowed. " .
+                    "You can use only letter, digit, and underscore (_)",
+                    $name
+                ));
+            }
             return ':' . $name;
         }
 

test/Adapter/Driver/Pdo/PdoTest.php

@@ -44,9 +44,13 @@ public function getParamsAndType()
     {
         return [
             [ 'foo', null, ':foo' ],
+            [ 'foo_bar', null, ':foo_bar' ],
+            [ '123foo', null, ':123foo' ],
             [ 1, null, '?' ],
             [ '1', null, '?' ],
             [ 'foo', Pdo::PARAMETERIZATION_NAMED, ':foo' ],
+            [ 'foo_bar', Pdo::PARAMETERIZATION_NAMED, ':foo_bar' ],
+            [ '123foo', Pdo::PARAMETERIZATION_NAMED, ':123foo' ],
             [ 1, Pdo::PARAMETERIZATION_NAMED, ':1' ],
             [ '1', Pdo::PARAMETERIZATION_NAMED, ':1' ],
         ];
@@ -60,4 +64,23 @@ public function testFormatParameterName($name, $type, $expected)
         $result = $this->pdo->formatParameterName($name, $type);
         $this->assertEquals($expected, $result);
     }
+
+    public function getInvalidParamName()
+    {
+        return [
+            [ 'foo%' ],
+            [ 'foo-' ],
+            [ 'foo$' ],
+            [ 'foo0!' ]
+        ];
+    }
+
+    /**
+     * @dataProvider getInvalidParamName
+     * @expectedException Zend\Db\Exception\RuntimeException
+     */
+    public function testFormatParameterNameWithInvalidCharacters($name)
+    {
+        $this->pdo->formatParameterName($name);
+    }
 }