Merge pull request #39 from socialblue/develop

fixes issue #29 add slashes for sql and preg_replace

src/Helper/QueryBuilderHelper.php

@@ -38,7 +38,7 @@ public static function combineQueryAndBindings($sql, $bindings)
 
  while (strpos($sql, '?') !== false) {
  $value = array_shift($bindings);
- $sql = preg_replace('/\?/', ($pdo->quote($value)), $sql, 1);
+ $sql = preg_replace('/\?/', $pdo->quote(addslashes(addslashes($value))), $sql, 1);
  }
  return $sql;
  }

tests/Unit/QueryBuilderHelperTest.php

@@ -0,0 +1,48 @@
+<?php
+
+use Socialblue\LaravelQueryAdviser\Helper\QueryBuilderHelper;
+use Socialblue\LaravelQueryAdviser\Tests\TestCase;
+
+class QueryBuilderHelperTest extends TestCase {
+
+ /**
+ * @test
+ *
+ * @param $query
+ * @param $bindings
+ * @param $result
+ *
+ * @dataProvider queriesAndBindings
+ */
+ public function should_replace_bindings_in_query($query, $bindings, $result) {
+
+ $this->assertEquals($result, QueryBuilderHelper::combineQueryAndBindings($query, $bindings));
+ }
+
+ /**
+ * @return array
+ */
+ public function queriesAndBindings(): array
+ {
+ return [
+ 'with_one_number' => [
+ 'query' => 'select * from user WHERE id = ?',
+ 'bindings' => [1],
+ 'result' => "select * from user WHERE id = '1'",
+ ],
+
+ 'with_escaped_characters' => [
+ 'query' => 'select * from user WHERE name = ?',
+ 'bindings' => [QueryBuilderHelper::class],
+ 'result' => "select * from user WHERE name = '". addslashes(QueryBuilderHelper::class) . "'",
+ ],
+
+ 'two_bindings_one_number_one_escaped_characters' => [
+ 'query' => 'select * from user WHERE id = ? AND name = ?',
+ 'bindings' => [1, QueryBuilderHelper::class],
+ 'result' => "select * from user WHERE id = '1' AND name = '". addslashes(QueryBuilderHelper::class) . "'",
+ ],
+ ];
+ }
+
+}