From 84bd58f902d93970a6626c2e3d360eed09a4b174 Mon Sep 17 00:00:00 2001
From: Kunio Murasawa <kunio.murasawa@gmail.com>
Date: Sat, 2 Jun 2012 01:17:52 +0900
Subject: Escape sprintf % chars in queries

Thanks m92o
---
 idiorm.php            | 3 +++
 test/test_queries.php | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/idiorm.php b/idiorm.php
index 8291181..710b913 100644
--- a/idiorm.php
+++ b/idiorm.php
@@ -271,6 +271,9 @@
                 // Escape the parameters
                 $parameters = array_map(array(self::$_db, 'quote'), $parameters);
 
+                // Avoid %format collision for vsprintf
+                $query = str_replace("%", "%%", $query);
+
                 // Replace placeholders in the query for vsprintf
                 $query = str_replace("?", "%s", $query);
 
diff --git a/test/test_queries.php b/test/test_queries.php
index 0faa592..e5681db 100644
--- a/test/test_queries.php
+++ b/test/test_queries.php
@@ -120,6 +120,10 @@
     $expected = "SELECT * FROM `widget` WHERE `name` = 'Fred' AND (`age` = '5' OR `age` = '10')";
     Tester::check_equal("Raw WHERE clause", $expected);
 
+    ORM::for_table('widget')->where_raw('STRFTIME("%Y", "now") = ?', array(2012))->find_many();
+    $expected = "SELECT * FROM `widget` WHERE STRFTIME(\"%Y\", \"now\") = '2012'";
+    Tester::check_equal("Raw WHERE clause with '%'", $expected);
+
     ORM::for_table('widget')->where_raw('`name` = "Fred"')->find_many();
     $expected = "SELECT * FROM `widget` WHERE `name` = \"Fred\"";
     Tester::check_equal("Raw WHERE clause with no parameters", $expected);
-- 
cgit v1.2.3