diff options
author | Kunio Murasawa <[email protected]> | 2012-06-02 01:17:52 +0900 |
---|---|---|
committer | Simon Holywell <[email protected]> | 2012-11-08 13:39:40 +0000 |
commit | 84bd58f902d93970a6626c2e3d360eed09a4b174 (patch) | |
tree | a5b3e84e06af72047f6999ba8f00b2cebf5685fa | |
parent | 6ad8dc19fee4a323e2c5e92371a46be1a1b7c847 (diff) |
Escape sprintf % chars in queries
Thanks m92o
-rw-r--r-- | idiorm.php | 3 | ||||
-rw-r--r-- | test/test_queries.php | 4 |
2 files changed, 7 insertions, 0 deletions
@@ -271,6 +271,9 @@ // Escape the parameters $parameters = array_map(array(self::$_db, 'quote'), $parameters); + // Avoid %format collision for vsprintf + $query = str_replace("%", "%%", $query); + // Replace placeholders in the query for vsprintf $query = str_replace("?", "%s", $query); diff --git a/test/test_queries.php b/test/test_queries.php index 0faa592..e5681db 100644 --- a/test/test_queries.php +++ b/test/test_queries.php @@ -120,6 +120,10 @@ $expected = "SELECT * FROM `widget` WHERE `name` = 'Fred' AND (`age` = '5' OR `age` = '10')"; Tester::check_equal("Raw WHERE clause", $expected); + ORM::for_table('widget')->where_raw('STRFTIME("%Y", "now") = ?', array(2012))->find_many(); + $expected = "SELECT * FROM `widget` WHERE STRFTIME(\"%Y\", \"now\") = '2012'"; + Tester::check_equal("Raw WHERE clause with '%'", $expected); + ORM::for_table('widget')->where_raw('`name` = "Fred"')->find_many(); $expected = "SELECT * FROM `widget` WHERE `name` = \"Fred\""; Tester::check_equal("Raw WHERE clause with no parameters", $expected); |