Skip to content

Traced statement interpolation fixes #381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 16, 2018
Merged

Traced statement interpolation fixes #381

merged 2 commits into from
Apr 16, 2018

Conversation

@noahheck
Copy link
Contributor

@noahheck noahheck commented Apr 13, 2018

I've maintained a project that performs similar behavior to what occurs in the TracedStatement (generating a string from the parameterized query with the bound arguments put in place into it), so I've seen some of the things to beware of when offering this functionality. Here's a synopsis of the issues and how I work around them:

Back reference syntax in the bound parameter value

If a value to be replaced back into the string contains a substring that looks like a regex back reference (e.g. $1), the preg_replace function looks to facilitate that:

i.e. password_hash function may produce something like this:

$2y$10$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay

but the interpolated query value ends up like this:

y$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay

$2y$10$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay
  y   $Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay

I work around this by appending a % to any $ % or \ (the back reference characters) present in the bound argument value, then change them all back again afterward.

Placeholder substring presence in replaced value

If a replaced value within the query string contains the placeholder character for a future replacement, the replacement may be incorrectly performed against the value within that replacement:

$question = "What's up?";
$person = "Rasmus";

$sql = "INSERT INTO questions SET question = ?, asker = ?";

Performing the translation as it was would have resulted in this:

INSERT INTO questions SET question = <What's up<Rasmus>>, asker = ?

I work around this by ensuring the replacement doesn't occur within a set of the $quotationChar.

Optional leading colon in parameter binding

Named placeholders are required to have a leading colon, but the colon is optional when calling bindParam:

$sql = "INSERT INTO questions SET question = :question, asker = :asker";
$stmt = $pdo->prepare($sql);

// Both instructions below will execute correctly
$stmt->bindParam("question", $question);
$stmt->bindParam(":asker", $asker);

I work around this by checking for the presence of a leading colon on the bound parameter and adding it if it's not present.

I added tests for these scenarios.

noahheck added 2 commits April 12, 2018 22:19
@noahheck
Prevent back reference issues in TracedStatement
57ae236
@noahheck
Prevent substring replacement
6fbc3d0 
If a previously replaced value in the query string contains the placeholder
for a future replacement, the string inside was being replaced
Also, PHP allows the bindParameter syntax to omit the leading ':', so we
test to make sure it's there and add it if not
@barryvdh barryvdh merged commit 3f31153 into php-debugbar:master Apr 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@noahheck @barryvdh