From e2508c9035fdc718e025221ce20b5146edf1d41c Mon Sep 17 00:00:00 2001
From: Pratik Joshi <pratik.joshi@webaccess.co.in>
Date: Thu, 4 Jul 2013 17:10:21 +0530
Subject: [PATCH]  crm-12976-fix : using 'strstr' while placeholder replacement
 mechanism

---
 CRM/Core/DAO.php                   |  8 +-------
 tests/phpunit/CRM/Core/DAOTest.php | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/CRM/Core/DAO.php b/CRM/Core/DAO.php
index dae921dc15..c03f87f9ee 100644
--- a/CRM/Core/DAO.php
+++ b/CRM/Core/DAO.php
@@ -1004,13 +1004,7 @@ FROM   civicrm_domain
       }
     }
 
-    // CRM-11582
-    foreach($tr as $key => $value) {
-      $key   = preg_quote($key);
-      $value = preg_quote($value);
-      $query = preg_replace("/$key\b/", $value, $query);
-    }
-    return $query;
+    return strtr($query, $tr);
   }
 
   static function freeResult($ids = NULL) {
diff --git a/tests/phpunit/CRM/Core/DAOTest.php b/tests/phpunit/CRM/Core/DAOTest.php
index 5989a9e42b..fe455c6e3b 100644
--- a/tests/phpunit/CRM/Core/DAOTest.php
+++ b/tests/phpunit/CRM/Core/DAOTest.php
@@ -71,4 +71,25 @@ class CRM_Core_DAOTest extends CiviUnitTestCase {
     $actualSql = CRM_Core_DAO::composeQuery($inputSql, $inputParams);
     $this->assertEquals($expectSql, $actualSql);
   }
+
+  // CASE: Two params where the %2 is already present in the query
+  // NOTE: This case should rightly FAIL, as using strstr in the replace mechanism will turn
+  // the query into: SELECT * FROM whatever WHERE name = 'Alice' AND title = 'Bob' AND year LIKE ''Bob'012'
+  // So, to avoid such ERROR, the query should be framed like:
+  // 'SELECT * FROM whatever WHERE name = %1 AND title = %3 AND year LIKE '%2012'
+  // $params[3] = array('Bob', 'String');
+  // i.e. the place holder should be unique and should not contain in any other operational use in query
+  function testComposeQueryFailure() {
+    $cases[] = array(
+      'SELECT * FROM whatever WHERE name = %1 AND title = %2 AND year LIKE \'%2012\' ',
+      array(
+        1 => array('Alice', 'String'),
+        2 => array('Bob', 'String'),
+      ),
+      'SELECT * FROM whatever WHERE name = \'Alice\' AND title = \'Bob\' AND year LIKE \'%2012\' ',
+    );
+    list($inputSql, $inputParams, $expectSql) = $cases[0];
+    $actualSql = CRM_Core_DAO::composeQuery($inputSql, $inputParams);
+    $this->assertFalse(($expectSql == $actualSql));
+  }
 }
-- 
2.25.1