Merge pull request #16 from noahheck/BackReferenceFix

Fix back reference syntax in replacement value

src/EPDOStatement.php

@@ -206,15 +206,22 @@ private function replaceMarker($queryString, $marker, $replValue)
             $marker = (preg_match("/^:/", $marker)) ? $marker : ":" . $marker;
         }
 
-        $testParam = "/({$marker}(?!\w))(?=(?:[^\"']|[\"'][^\"']*[\"'])*$)/";
-
         $this->debug("Replacing marker {marker} with value {value}",
             array(
                 "marker" => $marker,
                 "value"  => $replValue,
             ));
 
-        return preg_replace($testParam, $replValue, $queryString, 1);
+        $testParam = "/({$marker}(?!\w))(?=(?:[^\"']|[\"'][^\"']*[\"'])*$)/";
+
+        // Back references may be replaced in the resultant interpolatedQuery, so we need to sanitize that syntax
+        $cleanBackRefCharMap = ['%'=>'%%', '$'=>'$%', '\\'=>'\\%'];
+
+        $backReferenceSafeReplValue = strtr($replValue, $cleanBackRefCharMap);
+
+        $interpolatedString = preg_replace($testParam, $backReferenceSafeReplValue, $queryString, 1);
+
+        return strtr($interpolatedString, array_flip($cleanBackRefCharMap));
     }
 
     /**

tests/src/EPDOStatementTest.php

@@ -414,4 +414,21 @@ public function testQueryIsNotChangedIfNoParametersUsedInQuery()
 
         $this->assertEquals($query, $stmt->interpolateQuery());
     }
+
+    public function testDollarSignBackReferenceSyntaxGetsOutputCorrectlyInFullQuery()
+    {
+        $pdo = $this->getPdo();
+
+        $hashedPassword = '$2y$10$yOwqQMxRo0AveSZ6I6Yhn.aMqbtGYrKQvcLGEtanplhdboUM1ffGi';
+
+        $query = "UPDATE users SET password = :password";
+
+        $stmt = $pdo->prepare($query);
+
+        $stmt->bindParam(":password", $hashedPassword);
+
+        $result = $stmt->interpolateQuery();
+
+        $this->assertEquals("UPDATE users SET password = '$hashedPassword'", $result);
+    }
 }