Fix using regex when string value containing a placeholder name

yiisoft · Mar 28, 2024 · e9660dc · e9660dc
1 parent 766fc54
commit e9660dc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/src/Expression/ExpressionBuilder.php b/src/Expression/ExpressionBuilder.php
@@ -62,7 +62,7 @@ private function appendParams(string $sql, array &$expressionParams, array &$par
             $patterns[] = $this->getPattern($name);
             $uniqueName = $this->getUniqueName($name, $params);
 
-            $replacements[] = $uniqueName[0] !== ':' ? ":$uniqueName" : $uniqueName;
+            $replacements[] = '$1' . ($uniqueName[0] !== ':' ? ":$uniqueName" : $uniqueName);
 
             $params[$uniqueName] = $value;
             $expressionParams[$uniqueName] = $value;
@@ -104,7 +104,9 @@ private function getPattern(string $name): string
             $name = ":$name";
         }
 
-        return '/' . preg_quote($name, '/') . '\b/';
+        $skipQuotedStrings = '((?:([\'"`])(?:.*?(?:\\\\)*(?:\\\2)?)*\2.*?)*)';
+
+        return '/' . $skipQuotedStrings . preg_quote($name, '/') . '\b/';
     }
 
     private function getUniqueName(string $name, array $params): string

diff --git a/tests/Provider/QueryBuilderProvider.php b/tests/Provider/QueryBuilderProvider.php
@@ -1262,7 +1262,7 @@ public static function update(): array
                     'val1' => 'Banana',
                 ],
             ],
-            [
+            'Expressions with nested Expressions' => [
                 '{{table}}',
                 ['name' => new Expression(
                     ':val || :val_0',
@@ -1305,6 +1305,22 @@ public static function update(): array
                 // Wrong order of params
                 ['Banana', 'Apple'],
             ],
+            'Expressions with a string value containing a placeholder name' => [
+                '{{product}}',
+                ['price' => 10],
+                ':val',
+                [':val' => new Expression("label=':val\\\'a\\\'' label1=':val\\\'a\\\'' AND name=:val", [':val' => 'Apple'])],
+                DbHelper::replaceQuotes(
+                    <<<SQL
+                    UPDATE [[product]] SET [[price]]=:qp1 WHERE label=':val\'a\'' AND name=:val_0
+                    SQL,
+                    static::$driverName,
+                ),
+                [
+                    ':qp1' => 10,
+                    ':val_0' => 'Apple',
+                ],
+            ],
         ];
     }