use preg replace callback to prevent values containing a '?' from hav…

…ing other values injected inside it.
elvanto · May 17, 2023 · 0e9fc19 · 0e9fc19
1 parent 12f625c
commit 0e9fc19
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/lib/PicoDb/StatementHandler.php b/lib/PicoDb/StatementHandler.php
@@ -298,9 +298,12 @@ protected function beforeExecute()
         if ($this->logQueries) {
             $sql = $this->sql;
             if ($this->logQueryValues) {
-                foreach ($this->lobParams as $value) {
-                    $sql = substr_replace($sql, "'$value'", strpos($sql, '?'), 1);
-                }
+                $i = 0;
+                $values = $this->lobParams;
+                return preg_replace_callback('/\?/', function() use ($values, &$i) {
+                    $i++;
+                    return $values[$i] ?? '';
+                }, $sql);
             }
             $this->db->setLogMessage($sql);
         }