From a1d65f3737980658e9a5dd12165860e35e435941 Mon Sep 17 00:00:00 2001 From: "godzilla80@gmx.net" <> Date: Sat, 20 Feb 2010 09:18:40 +0000 Subject: Fixed Issue 209 - SqlMap doesn't escape inline params properly --- HISTORY | 1 + .../Data/SqlMap/Statements/TSimpleDynamicSql.php | 3 +-- tests/unit/Data/SqlMap/DynamicParameterTest.php | 19 +++++++++++++++++++ tests/unit/Data/SqlMap/DynamicParameterTestMap.xml | 6 ++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/HISTORY b/HISTORY index 525915ce..c0d6e04f 100644 --- a/HISTORY +++ b/HISTORY @@ -17,6 +17,7 @@ BUG: Issue#192 - soap-enc:Array not a valid complex type (mosonyi at esix.hu) BUG: Issue#198 - "Undefined variable: tagName" after error in application configuration. (Christophe) BUG: Issue#200 - TShellApplication failed when no service are defined in application configuration. (Christophe) BUG: Issue#208 - TDbConnection.Charset not working properly (googlenew at pcforum.hu, Christophe) +BUG: Issue#209 - SqlMap doesn't escape inline params properly (Yves) BUG: Issue#212 - Mistaken query executed by TMysqlMetaData (pbenny, Christophe) BUG: Issue#216 - TTabPanel doesn't preserve active tab on callback request (googlenew at pcforum.hu,Christophe) BUG: Issue~223 - TXmlElement doesn't support all types in attributes - fails to save (Christophe) diff --git a/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php b/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php index 3e8969ba..5d85ded9 100644 --- a/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php +++ b/framework/Data/SqlMap/Statements/TSimpleDynamicSql.php @@ -32,9 +32,8 @@ class TSimpleDynamicSql extends TStaticSql foreach($this->_mappings as $property) { $value = TPropertyAccess::get($parameter, $property); - $sql = preg_replace('/'.TSimpleDynamicParser::DYNAMIC_TOKEN.'/', $value, $sql, 1); + $sql = preg_replace('/'.TSimpleDynamicParser::DYNAMIC_TOKEN.'/', str_replace('$', '\$', $value), $sql, 1); } - return $sql; } } diff --git a/tests/unit/Data/SqlMap/DynamicParameterTest.php b/tests/unit/Data/SqlMap/DynamicParameterTest.php index ec37f4e0..f9b39b96 100644 --- a/tests/unit/Data/SqlMap/DynamicParameterTest.php +++ b/tests/unit/Data/SqlMap/DynamicParameterTest.php @@ -15,6 +15,9 @@ class DynamicParameterTest extends PHPUnit_Framework_TestCase static $conn; static $sqlMapManager; + if(Prado::getApplication() === null) + Prado::setApplication(new TApplication(dirname(__FILE__).'/app')); + if($conn === null) $conn = new TDbConnection('mysql:host=localhost;dbname=prado_system_data_sqlmap', 'prado_unitest', 'prado_system_data_sqlmap_unitest'); @@ -85,6 +88,22 @@ class DynamicParameterTest extends PHPUnit_Framework_TestCase self::assertEquals('staticsql1', $value); } + /** + * Issue#209 test + */ + public function testMysqlInlineEscapeParam() + { + $mapper = $this->getMysqlSqlMapManager(); + $gateway = $mapper->getSqlmapGateway(); + + $value = $gateway->queryForObject('SelectInlineEscapeParam', "'1234567*123$456789$012345' AS foobar"); + self::assertEquals('1234567*123$456789$012345', $value); + + $value = $gateway->queryForObject('SelectInlineEscapeParam', '"1234567*123$456789$012345" AS foobar'); + self::assertEquals('1234567*123$456789$012345', $value); + + } + } ?> \ No newline at end of file diff --git a/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml b/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml index 65a91154..29670578 100644 --- a/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml +++ b/tests/unit/Data/SqlMap/DynamicParameterTestMap.xml @@ -1,5 +1,6 @@ + + \ No newline at end of file -- cgit v1.2.3