Merge branch 'hotfix/289'

Close #289
Fixes #288

Author: weierophinney

CHANGELOG.md

@@ -2,12 +2,24 @@
 
 All notable changes to this project will be documented in this file, in reverse chronological order by release.
 
-## 2.9.1 - TBD
+## 2.9.1 - 2017-12-07
 
 ### Added
 
 - Nothing.
 
+### Changed
+
+- [#289](https://github.com/zendframework/zend-db/pull/289) reverts a change
+  introduced in 2.9.0 and modifies the behavior of the PDO adapter slightly
+  to remove a regression. In 2.9.0, when binding parameters with names that
+  contained characters not supported by PDO, we would pass the parameter names
+  to `md5()`; this caused a regression, as the SQL string containing the
+  parameter name was not also updated.
+
+  This patch modifies the behavior during a bind-operation to instead raise an
+  exception if a parameter name contains characters not supported by PDO.
+
 ### Deprecated
 
 - Nothing.

src/Adapter/Driver/Pdo/Pdo.php

@@ -304,8 +304,16 @@ public function getPrepareType()
     public function formatParameterName($name, $type = null)
     {
         if ($type === null && ! is_numeric($name) || $type == self::PARAMETERIZATION_NAMED) {
-            // using MD5 because of the PDO restriction [A-Za-z0-9_] for bindParam name
-            return ':' . md5($name);
+            // @see https://bugs.php.net/bug.php?id=43130
+            if (preg_match('/[^a-zA-Z0-9_]/', $name)) {
+                throw new Exception\RuntimeException(sprintf(
+                    'The PDO param %s contains invalid characters.'
+                    . ' Only alphabetic characters, digits, and underscores (_)'
+                    . ' are allowed.',
+                    $name
+                ));
+            }
+            return ':' . $name;
         }
 
         return '?';

test/Adapter/Driver/Pdo/PdoTest.php

@@ -43,16 +43,16 @@ public function testGetDatabasePlatformName()
     public function getParamsAndType()
     {
         return [
-            [ 'foo', null, ':' . md5('foo')],
-            [ 'foo-', null, ':' . md5('foo-')],
-            [ 'foo$', null, ':' . md5('foo$')],
+            [ 'foo', null, ':foo' ],
+            [ 'foo_bar', null, ':foo_bar' ],
+            [ '123foo', null, ':123foo' ],
             [ 1, null, '?' ],
-            [ '1', null, '?'],
-            [ 'foo', Pdo::PARAMETERIZATION_NAMED, ':' . md5('foo')],
-            [ 'foo-', Pdo::PARAMETERIZATION_NAMED, ':' . md5('foo-')],
-            [ 'foo$', Pdo::PARAMETERIZATION_NAMED, ':' . md5('foo$')],
-            [ 1, Pdo::PARAMETERIZATION_NAMED, ':' . md5('1')],
-            [ '1', Pdo::PARAMETERIZATION_NAMED, ':' . md5('1')],
+            [ '1', null, '?' ],
+            [ 'foo', Pdo::PARAMETERIZATION_NAMED, ':foo' ],
+            [ 'foo_bar', Pdo::PARAMETERIZATION_NAMED, ':foo_bar' ],
+            [ '123foo', Pdo::PARAMETERIZATION_NAMED, ':123foo' ],
+            [ 1, Pdo::PARAMETERIZATION_NAMED, ':1' ],
+            [ '1', Pdo::PARAMETERIZATION_NAMED, ':1' ],
         ];
     }
 
@@ -64,4 +64,23 @@ public function testFormatParameterName($name, $type, $expected)
         $result = $this->pdo->formatParameterName($name, $type);
         $this->assertEquals($expected, $result);
     }
+
+    public function getInvalidParamName()
+    {
+        return [
+            [ 'foo%' ],
+            [ 'foo-' ],
+            [ 'foo$' ],
+            [ 'foo0!' ]
+        ];
+    }
+
+    /**
+     * @dataProvider getInvalidParamName
+     * @expectedException Zend\Db\Exception\RuntimeException
+     */
+    public function testFormatParameterNameWithInvalidCharacters($name)
+    {
+        $this->pdo->formatParameterName($name);
+    }
 }

test/Adapter/Driver/Pdo/StatementIntegrationTest.php

@@ -55,7 +55,7 @@ protected function tearDown()
     public function testStatementExecuteWillConvertPhpBoolToPdoBoolWhenBinding()
     {
         $this->pdoStatementMock->expects($this->any())->method('bindParam')->with(
-            $this->equalTo(':' . md5('foo')),
+            $this->equalTo(':foo'),
             $this->equalTo(false),
             $this->equalTo(\PDO::PARAM_BOOL)
         );
@@ -65,7 +65,7 @@ public function testStatementExecuteWillConvertPhpBoolToPdoBoolWhenBinding()
     public function testStatementExecuteWillUsePdoStrByDefaultWhenBinding()
     {
         $this->pdoStatementMock->expects($this->any())->method('bindParam')->with(
-            $this->equalTo(':' . md5('foo')),
+            $this->equalTo(':foo'),
             $this->equalTo('bar'),
             $this->equalTo(\PDO::PARAM_STR)
         );

test/Adapter/Driver/Pdo/StatementTest.php

@@ -128,28 +128,4 @@ public function testExecute()
         $this->statement->prepare('SELECT 1');
         self::assertInstanceOf('Zend\Db\Adapter\Driver\Pdo\Result', $this->statement->execute());
     }
-
-    /**
-     * @see https://github.com/zendframework/zend-db/pull/224
-     */
-    public function testExecuteWithSpecialCharInBindParam()
-    {
-        $testSqlite = new TestAsset\SqliteMemoryPdo('CREATE TABLE test (text_ TEXT, text$ TEXT);');
-        $this->statement->setDriver(new Pdo(new Connection($testSqlite)));
-        $this->statement->initialize($testSqlite);
-
-        $this->statement->prepare(sprintf(
-            'INSERT INTO test (text_, text$) VALUES (:%s, :%s)',
-            md5('text_'),
-            md5('text$')
-        ));
-        $result = $this->statement->execute([ 'text_' => 'foo', 'text$' => 'bar']);
-        $this->assertInstanceOf(Result::class, $result);
-        $this->assertTrue($result->valid());
-
-        $result = $testSqlite->query('SELECT * FROM test');
-        $values = $result->fetch();
-        $this->assertEquals('foo', $values['text_']);
-        $this->assertEquals('bar', $values['text$']);
-    }
 }