Escape dollar signs in named parameters because they donot survive preg_replace but are needed for passwords.

lonnieezell · lonnieezell · commit 5e34d59328c1 · 2016-10-26T23:52:37.000-05:00
diff --git a/system/Database/Query.php b/system/Database/Query.php
@@ -404,11 +404,16 @@ protected function matchNamedBinds(string $sql, array $binds)
 		foreach ($binds as $placeholder => $value)
 		{
 			$escapedValue = $this->db->escape($value);
+
 			if (is_array($escapedValue))
 			{
 				$escapedValue = '('.implode(',', $escapedValue).')';
 			}
 
+			// $ causes issues in preg_replace, but are needed
+            // for password hashes
+            $escapedValue = str_replace('$', '\$', $escapedValue);
+
 			$sql = preg_replace('/:'.$placeholder.'(?!\w)/', $escapedValue, $sql);
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -404,11 +404,16 @@ protected function matchNamedBinds(string $sql, array $binds)`
`404`	`404`	`foreach ($binds as $placeholder => $value)`
`405`	`405`	`{`
`406`	`406`	`$escapedValue = $this->db->escape($value);`
	`407`	`+`
`407`	`408`	`if (is_array($escapedValue))`
`408`	`409`	`{`
`409`	`410`	`$escapedValue = '('.implode(',', $escapedValue).')';`
`410`	`411`	`}`
`411`	`412`
	`413`	`+ // $ causes issues in preg_replace, but are needed`
	`414`	`+ // for password hashes`
	`415`	`+ $escapedValue = str_replace('$', '\$', $escapedValue);`
	`416`	`+`
`412`	`417`	`$sql = preg_replace('/:'.$placeholder.'(?!\w)/', $escapedValue, $sql);`
`413`	`418`	`}`
`414`	`419`