Fixed Issue 209 - SqlMap doesn't escape inline params properly

4 files changed, 27 insertions, 2 deletions

diff --git a/HISTORY b/HISTORY
index 525915ce..c0d6e04f 100644
--- a/HISTORY
+++ b/HISTORY
@@ -17,6 +17,7 @@ BUG: Issue#192 - soap-enc:Array not a valid complex type (mosonyi at esix.hu)
 BUG: Issue#198 - "Undefined variable: tagName" after error in application configuration. (Christophe)
 BUG: Issue#200 - TShellApplication failed when no service are defined in application configuration. (Christophe)
 BUG: Issue#208 - TDbConnection.Charset not working properly (googlenew at pcforum.hu, Christophe)
+BUG: Issue#209 - SqlMap doesn't escape inline params properly (Yves)
 BUG: Issue#212 - Mistaken query executed by TMysqlMetaData (pbenny, Christophe)
 BUG: Issue#216 - TTabPanel doesn't preserve active tab on callback request (googlenew at pcforum.hu,Christophe)
 BUG: Issue~223 - TXmlElement doesn't support all types in attributes - fails to save (Christophe)
diff --git a/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php b/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php
index 3e8969ba..5d85ded9 100644
--- a/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php
+++ b/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php
@@ -32,9 +32,8 @@ class TSimpleDynamicSql extends TStaticSql
 		foreach($this->_mappings as $property)

 		{

 			$value = TPropertyAccess::get($parameter, $property);

-			$sql = preg_replace('/'.TSimpleDynamicParser::DYNAMIC_TOKEN.'/', $value, $sql, 1);

+			$sql = preg_replace('/'.TSimpleDynamicParser::DYNAMIC_TOKEN.'/', str_replace('$', '\$', $value), $sql, 1);

 		}

-

 		return $sql;

 	}

 }

diff --git a/tests/unit/Data/SqlMap/DynamicParameterTest.php b/tests/unit/Data/SqlMap/DynamicParameterTest.php
index ec37f4e0..f9b39b96 100644
--- a/tests/unit/Data/SqlMap/DynamicParameterTest.php
+++ b/tests/unit/Data/SqlMap/DynamicParameterTest.php
@@ -15,6 +15,9 @@ class DynamicParameterTest extends PHPUnit_Framework_TestCase
 		static $conn;

 		static $sqlMapManager;

 

+		if(Prado::getApplication() === null)

+			Prado::setApplication(new TApplication(dirname(__FILE__).'/app'));

+

 		if($conn === null)

 			$conn = new TDbConnection('mysql:host=localhost;dbname=prado_system_data_sqlmap', 'prado_unitest', 'prado_system_data_sqlmap_unitest');

 

@@ -85,6 +88,22 @@ class DynamicParameterTest extends PHPUnit_Framework_TestCase
 		self::assertEquals('staticsql1', $value);

 	}

 

+	/**

+	 * Issue#209 test

+	 */

+	public function testMysqlInlineEscapeParam()

+	{

+		$mapper = $this->getMysqlSqlMapManager();

+		$gateway = $mapper->getSqlmapGateway();

+

+		$value = $gateway->queryForObject('SelectInlineEscapeParam', "'1234567*123$456789$012345' AS foobar");

+		self::assertEquals('1234567*123$456789$012345', $value);

+

+		$value = $gateway->queryForObject('SelectInlineEscapeParam', '"1234567*123$456789$012345" AS foobar');

+		self::assertEquals('1234567*123$456789$012345', $value);

+

+	}

+

 }

 

 ?>
\ No newline at end of file
diff --git a/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml b/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml
index 65a91154..29670578 100644
--- a/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml
+++ b/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>

 <sqlMap namespace="DynamicParameterTestMap">

+

 	<select id="SelectStaticSql1" resultClass="string">

 	<![CDATA[

 		SELECT `teststring` FROM `dynamicparametertest1` WHERE `testname`="staticsql"

@@ -30,4 +31,9 @@
 	]]>

 	</select>

 

+	<select id="SelectInlineEscapeParam" parameterClass="string" resultClass="string">

+	<![CDATA[

+		SELECT $value$

+	]]>

+	</select>

 </sqlMap>
\ No newline at end of file