Fixes the special characters in bindParam for PDO

[ezimuel]

This PR solve #35 and replaces #178. The $name in bindParam are replaced with the following, due to the PDO restriction [0-9a-zA-Z_]:

return ':' . md5($name);

For instance, a filed name test$ will be translated in :79f5d7a7e10367f279c2500dcd03b3de as bind param name. I used the md5() approach after some benchmark tests, see comments and commits below. I also provided unit test and integrational test.

[ezimuel]

In the last commit, I changed the usage of preg_replace_callback in favor of md5() for performance reason. I did some benchmark test showing a big difference. MD5 if from 3x to 4x faster than preg_replace_callback.

[alshayed]

Hi, is there any expected time frame for this to get merged in and released? Thanks!

[ezimuel]

@alshayed I'll release in two weeks, sorry for the delay.

[weierophinney]

Looks good; I've provided a little feedback on a few readability changes, but otherwise, ready to merge!

[weierophinney]

I'd use sprintf here to make it more readable:

$this->statement->prepare(sprintf(
    'INSERT INTO test (text_, text$) VALUES (:%s, :%s)',
    md5('text_'),
    md5('text$')
));

[ezimuel]

Changed.

[weierophinney]

Return early if $sql is empty:

if (empty($sql)) {
    return;
}

if (false === $this->exec($sql)) {
    throw new \Exception(/* ... */);
}

[ezimuel]

Fixed

[ezimuel]

@weierophinney thanks for the review. I added all the feedbacks. There are some conflicts due to the date of this PR but I think we can manage it during the merge.

[ezimuel]

I'm removing this PR because introduces issue like #288. It's not possible to fix #35 because of PHP bug 43130. This bug won't fix because of this and this. Releasing zend-db 2.9.1 with this revert.

[michalbundyra]

@ezimuel

It's not possible to fix #35

It is possible, IMHO.
What if we also replace fields in the query, not only on binding?

[ezimuel]

@webimpress it's not safe to use characters like - in bind param name. Please, read the php.cvs 46848 and 47302.

[michalbundyra]

@ezimuel yes, I've seen them. And as I understand you replace names with md5 names, but you are not changing these names in the query string but only on binding. What if we change them in both places?

[ezimuel]

@webimpress It's not considered a best practice to use these characters in bind param name. Why you want to allow a bad practice in our code base? Moreover, it will introduce high CPU usage, with preg_replace() + md5() execution for each param in SQL statements. This is not a reliable solution.

[michalbundyra]

@ezimuel Ok, fine then, so the #35 should be marked as "invalid" or "won't fix" and never tried to be fixed 😄

[ezimuel]

@webimpress I know, this was my fault, sorry.

[michalbundyra]

@ezimuel It's fine, you've tried to fix #178. Everyone makes mistake...
Good that you handle it very quickly and we will have shortly 2.9.1. Thanks for it! :)

[alextech]

Automatically changing anything in the query will make it very difficult to debug at database level. A common debugging procedure is looking through database logs, in SqlServer watching through real time activity monitor. Then, copy those queries and search for them in the codebase. Changing the names will no longer match logged queries with whats in code.

I think instead should do validation for special chars at the same place you tried md5() and throw InvalidArgumentException to give a nice message before letting it crash at driver level.

[ezimuel]

@alextech I added the throw Exception for invalid characters [^a-zA-Z0-9_] in my revert PR #289.