summaryrefslogtreecommitdiff
path: root/drivers/adodb-oci8po.inc.php
diff options
context:
space:
mode:
authorMark Newnham <mark@newnhams.com>2015-06-28 14:18:29 +0200
committerDamien Regad <dregad@mantisbt.org>2015-06-28 14:24:28 +0200
commiteb9d83915fcfdcd4a4fb3f65a586e6c60be598f7 (patch)
tree349ad03fed3b80530981c8bce2ab743accebf337 /drivers/adodb-oci8po.inc.php
parent21258606cdd93fb3d9481bb83f01c4deb02cff19 (diff)
downloadadodb-eb9d83915fcfdcd4a4fb3f65a586e6c60be598f7.tar.gz
adodb-eb9d83915fcfdcd4a4fb3f65a586e6c60be598f7.tar.bz2
adodb-eb9d83915fcfdcd4a4fb3f65a586e6c60be598f7.zip
oci8po: prevent replacement of '?' within strings
When processing an SQL statement containing a '?' character within a string, ADOdb wrongly assumed it is for a bind variable. The number of variables then no longer matches the number passed, and crashes the _query() function. We now identify whether a '?' is within a string and don't use it as a bind variable if so. Fixes #132 Signed-off-by: Damien Regad <dregad@mantisbt.org>
Diffstat (limited to 'drivers/adodb-oci8po.inc.php')
-rw-r--r--drivers/adodb-oci8po.inc.php11
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/adodb-oci8po.inc.php b/drivers/adodb-oci8po.inc.php
index 95a7d322..1f82e456 100644
--- a/drivers/adodb-oci8po.inc.php
+++ b/drivers/adodb-oci8po.inc.php
@@ -64,11 +64,22 @@ class ADODB_oci8po extends ADODB_oci8 {
$arr['bind'.$i++] = $v;
}
} else {
+ // Need to identify if the ? is inside a quoted string, and if
+ // so not use it as a bind variable
+ preg_match_all('/".*\??"|\'.*\?.*?\'/', $sql, $matches);
+ foreach($matches[0] as $qmMatch){
+ $qmReplace = str_replace('?', '-QUESTIONMARK-', $qmMatch);
+ $sql = str_replace($qmMatch, $qmReplace, $sql);
+ }
+
$sqlarr = explode('?',$sql);
$sql = $sqlarr[0];
+
foreach($inputarr as $k => $v) {
$sql .= ":$k" . $sqlarr[++$i];
}
+
+ $sql = str_replace('-QUESTIONMARK-', '?', $sql);
}
}
return ADODB_oci8::_query($sql,$inputarr);