Use safer quoting for placeholders

Matt Lawrence · dveeden · commit 6d9f97c0f4aa · 2025-01-03T14:44:24.000+01:00
Switch to mysql_real_escape_string_quote for placeholder replacement,
allowing placeholders to be used when NO_BACKSLASH_ESCAPES is in effect.
diff --git a/dbdimp.c b/dbdimp.c
@@ -636,7 +636,7 @@ static char *parse_params(
             if (!is_num)
             {
               *ptr++ = '\'';
-              ptr += mysql_real_escape_string(sock, ptr, valbuf, vallen);
+              ptr += mysql_real_escape_string_quote(sock, ptr, valbuf, vallen, '\'');
               *ptr++ = '\'';
             }
             else
diff --git a/t/17quote.t b/t/17quote.t
@@ -23,13 +23,19 @@ my @results_ansi = (qw/ 'foo' 'foo\'bar' 'foo\\\\bar'/);
 my @results_no_backlslash = (qw/ 'foo' 'foo''bar' 'foo\\bar'/);
 my @results = (\@results_empty, \@results_ansi, \@results_no_backlslash);
 
-plan tests => (@sqlmodes * @words * 2 + 1);
+plan tests => (@sqlmodes * @words * 3 + 1);
 
 while (my ($i, $sqlmode) = each @sqlmodes) {
   $dbh->do("SET sql_mode=?", undef,  $sqlmode eq "empty" ? "" : $sqlmode);
   for my $j (0..@words-1) {
     ok $dbh->quote($words[$j]);
     cmp_ok($dbh->quote($words[$j]), "eq", $results[$i][$j], "$sqlmode $words[$j]");
+
+    is(
+        $dbh->selectrow_array('SELECT ?', undef, $words[$j]),
+        $words[$j],
+        "Round-tripped '$words[$j]' through a placeholder query"
+    );
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -636,7 +636,7 @@ static char *parse_params(`
`636`	`636`	`if (!is_num)`
`637`	`637`	`{`
`638`	`638`	`*ptr++ = '\'';`
`639`		`- ptr += mysql_real_escape_string(sock, ptr, valbuf, vallen);`
	`639`	`+ ptr += mysql_real_escape_string_quote(sock, ptr, valbuf, vallen, '\'');`
`640`	`640`	`*ptr++ = '\'';`
`641`	`641`	`}`
`642`	`642`	`else`