Escape parameters of object with __toString()

simPod · Oct 8, 2020 · 6e6e69f · 6e6e69f
1 parent e9c14c5
commit 6e6e69f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/src/Sql/ValueFormatter.php b/src/Sql/ValueFormatter.php
@@ -66,7 +66,7 @@ public function format($value, ?string $paramName = null, ?string $sql = null) :
         }
 
         if (is_object($value) && method_exists($value, '__toString')) {
-            return "'" . $value . "'";
+            return "'" . Escaper::escape((string) $value) . "'";
         }
 
         if (is_array($value)) {

diff --git a/tests/Sql/ValueFormatterTest.php b/tests/Sql/ValueFormatterTest.php
@@ -36,6 +36,7 @@ public function providerFormat() : iterable
         yield 'float .0' => ['1', 1.0];
         yield 'float .5' => ['1.5', 1.5];
         yield 'string' => ["'ping'", 'ping'];
+        yield 'string escaped' => ["'ping\\\\n'", 'ping\n'];
         yield 'null' => ['IS NULL', null];
         yield 'array' => ["['a','b','c']", ['a', 'b', 'c']];
         yield 'array in array' => ["[['a']]", [['a']]];
@@ -62,6 +63,16 @@ public function __toString() : string
                 }
             },
         ];
+
+        yield 'Stringable escaped' => [
+            "'stringable \\\\n'",
+            new class () {
+                public function __toString() : string
+                {
+                    return 'stringable \n';
+                }
+            },
+        ];
     }
 
     /**