QueryException::formatMessage() replacing all question marks

[lupinitylabs]

• Laravel Version: 8.53.1
• PHP Version: 8.0.11
• Database Driver & Version: MySQL 8.0.26

Description:

The formatMessage() method in \Illuminate\Database\QueryException provides the failed query as SQL string with bindings replaced as follows:

        return $previous->getMessage().' (SQL: '.Str::replaceArray('?', $bindings, $sql).')';

This naive approach will of course replace ALL question marks within the query string, including question marks that may exist in parts of the query including, but not limited to raw statements (select, order, subqueries) or SQL comments.

However there are a couple of reasons not to act on this:

• this issue exists since 8 years now, so I suppose it is not really a concern
• it is only cosmetic.
• fixing this is not trivial. Using a regex could mitigate the easy cases, but to really tackle this might require parsing.

Steps To Reproduce:

  User::selectRaw('"Hello??"')->whereType('SomeParameter')->find(4)

  User::selectRaw('"Test?" /* Some comment? */')->whereType('SomeParameter')->find(4)

[driesvints]

Yeah, I don't really see a big issue here if it's been in here so long and no one has reported it so far. Appreciate you informing us however 👍 But I think we're gonna let this one be.