search

noahheck / E_PDOStatement

Drop in replacement for default PHP PDOStatement class allowing devs to view an interpolated version of a parameterized query
Other
51 stars 13 forks source link

Replacement content with backreference syntax getting stripped from fullQuery #15

Closed noahheck closed 6 years ago

noahheck commented 6 years ago

i.e. password_hash function may produce something like this:

$2y$10$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay

but the full query value ends up like this:

y$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay
$2y$10$Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay
  y   $Xs/oqD0cVCb7hM1suoAD/Oqf4tlm5suTb8IsczDTnttiWUtHsb5ay

More problematic would be the presence of a $0 backreference in the replacement value (potentially re-adding the placeholder to the content string)

noahheck commented 6 years ago

This might be a solution to this:

https://stackoverflow.com/questions/39968330/avoid-backreference-replacement-in-phps-preg-replace