Context Navigation

Ticket #11608: 11608.3.diff

File 11608.3.diff, 1.0 KB (added by Denis-de-Bernardy, 16 years ago)
double escape first approach (untested)

                 // If args were passed as an array (as in vsprintf), move them up
                 if ( isset($args[0]) && is_array($args[0]) )
                         $args = $args[0];
+                $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
+                $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
+                $query = str_replace('%s', "'%s'", $query); // quote the strings
+                // allow literal % to be entered as such
+                $query = str_replace('%', '%%', $query);
+                // leave things such as LIKE '%%stuff' or 'some %%stuff' untouched
+                // but catch mistakingly quoted strings such as '%%s'
+                $query = preg_replace("/(^|\s)(['\"]?)%%s\\2(\s|$)/", "$1'%d'$3", $query);
+                $query = preg_replace("/(^|\s)(['\"]?)%%d\\2(\s|$)/", "$1%d$3", $query);
                 array_walk($args, array(&$this, 'escape_by_ref'));
                 return @vsprintf($query, $args);
+        }