tweak: double single quote for proper escaping

PhpGt · Aug 17, 2023 · 180df86 · 180df86
1 parent 094856d
commit 180df86
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/Query/SqlQuery.php b/src/Query/SqlQuery.php
@@ -182,7 +182,7 @@ private function injectDynamicIn(string $sql, array &$data):string {
 
 		foreach($data["__dynamicIn"] as $i => $value) {
 			if(is_string($value)) {
-				$value = str_replace("'", "\'", $value);
+				$value = str_replace("'", "''", $value);
 				$data["__dynamicIn"][$i] = "'$value'";
 			}
 		}

diff --git a/test/phpunit/Query/SqlQueryTest.php b/test/phpunit/Query/SqlQueryTest.php
@@ -385,7 +385,7 @@ public function testDynamicBindingsWhereInStrings(
 
 		self::assertStringNotContainsString("dynamicIn", $injectedSql);
 
-		self::assertStringContainsString("where `createdAt` > :startDate and `name` in ( 'one', 'two', 'three\'s the last' ) limit 10", $injectedSql);
+		self::assertStringContainsString("where `createdAt` > :startDate and `name` in ( 'one', 'two', 'three''s the last' ) limit 10", $injectedSql);
 		self::assertArrayNotHasKey("__dynamicIn", $data);
 		self::assertSame("2020-01-01", $data["startDate"]);
 	}