Traced statement interpolation fixes (php-debugbar#381)

* Prevent back reference issues in TracedStatement

* Prevent substring replacement

If a previously replaced value in the query string contains the placeholder
for a future replacement, the string inside was being replaced
Also, PHP allows the bindParameter syntax to omit the leading ':', so we
test to make sure it's there and add it if not

Author: noahheck

src/DebugBar/DataCollector/PDO/TracedStatement.php

@@ -107,15 +107,28 @@ public function getSqlWithParams($quotationChar = '<>')
         }
 
         $sql = $this->sql;
+
+        $cleanBackRefCharMap = array('%'=>'%%', '$'=>'$%', '\\'=>'\\%');
+
         foreach ($this->parameters as $k => $v) {
-            $v = "$quoteLeft$v$quoteRight";
-            if (!is_numeric($k)) {
-                $sql = preg_replace("/{$k}\b/", $v, $sql, 1);
+
+            $backRefSafeV = strtr($v, $cleanBackRefCharMap);
+
+            $v = "$quoteLeft$backRefSafeV$quoteRight";
+
+            if (is_numeric($k)) {
+                $marker = "\?";
             } else {
-                $p = strpos($sql, '?');
-                $sql = substr($sql, 0, $p) . $v. substr($sql, $p + 1);
+                $marker = (preg_match("/^:/", $k)) ? $k : ":" . $k;
             }
+
+            $matchRule = "/({$marker}(?!\w))(?=(?:[^$quotationChar]|[$quotationChar][^$quotationChar]*[$quotationChar])*$)/";
+
+            $sql = preg_replace($matchRule, $v, $sql, 1);
         }
+
+        $sql = strtr($sql, array_flip($cleanBackRefCharMap));
+
         return $sql;
     }
 

tests/DebugBar/Tests/TracedStatementTest.php

@@ -37,4 +37,85 @@ public function testReplacementParamsQuery()
         $result = $traced->getSqlWithParams();
         $this->assertEquals($expected, $result);
     }
-}
+
+    public function testReplacementParamsContainingBackReferenceSyntaxGeneratesCorrectString()
+    {
+        $hashedPassword = '$2y$10$S3Y/kSsx8Z5BPtdd9.k3LOkbQ0egtsUHBT9EGQ.spxsmaEWbrxBW2';
+        $sql = "UPDATE user SET password = :password";
+
+        $params = array(
+            ':password' => $hashedPassword,
+        );
+
+        $traced = new TracedStatement($sql, $params);
+
+        $result = $traced->getSqlWithParams();
+
+        $expected = "UPDATE user SET password = <$hashedPassword>";
+
+        $this->assertEquals($expected, $result);
+    }
+
+    public function testReplacementParamsContainingPotentialAdditionalQuestionMarkPlaceholderGeneratesCorrectString()
+    {
+        $hasQuestionMark = "Asking a question?";
+        $string          = "Asking for a friend";
+
+        $sql = "INSERT INTO questions SET question = ?, detail = ?";
+
+        $params = array($hasQuestionMark, $string);
+
+        $traced = new TracedStatement($sql, $params);
+
+        $result = $traced->getSqlWithParams();
+
+        $expected = "INSERT INTO questions SET question = <$hasQuestionMark>, detail = <$string>";
+
+        $this->assertEquals($expected, $result);
+
+        $result = $traced->getSqlWithParams("'");
+
+        $expected = "INSERT INTO questions SET question = '$hasQuestionMark', detail = '$string'";
+
+        $this->assertEquals($expected, $result);
+
+        $result = $traced->getSqlWithParams('"');
+
+        $expected = "INSERT INTO questions SET question = \"$hasQuestionMark\", detail = \"$string\"";
+
+        $this->assertEquals($expected, $result);
+    }
+
+    public function testReplacementParamsContainingPotentialAdditionalNamedPlaceholderGeneratesCorrectString()
+    {
+        $hasQuestionMark = "Asking a question with a :string inside";
+        $string          = "Asking for a friend";
+
+        $sql = "INSERT INTO questions SET question = :question, detail = :string";
+
+        $params = array(
+            ':question' => $hasQuestionMark,
+            ':string'   => $string,
+        );
+
+        $traced = new TracedStatement($sql, $params);
+
+        $result = $traced->getSqlWithParams();
+
+        $expected = "INSERT INTO questions SET question = <$hasQuestionMark>, detail = <$string>";
+
+        $this->assertEquals($expected, $result);
+
+        $result = $traced->getSqlWithParams("'");
+
+        $expected = "INSERT INTO questions SET question = '$hasQuestionMark', detail = '$string'";
+
+        $this->assertEquals($expected, $result);
+
+        $result = $traced->getSqlWithParams('"');
+
+        $expected = "INSERT INTO questions SET question = \"$hasQuestionMark\", detail = \"$string\"";
+
+        $this->assertEquals($expected, $result);
+    }
+}