Querystring preperation doesn't fail nicely when a placeholder is not found

[kmq]

In the lib/database-*.php files in the function db_prep_query we have the following lines

$posa = mb_strpos($qstring, $needle);
$posb = mb_strlen($needle);
$qstring = mb_substr($qstring,0,$posa).$tmp.mb_substr($qstring,(    $posa + $posb));

When $needle is not found because, for example, a developer wrote a query like this

UPDATE table SET column_a = $1 WHERE  column_b = $3; --note the missing $2

then mb_strpos() stores false in $posa. mb_substr() interpretes $posa to mean 0 and the poor developer ends up with

value2DATE table SET column_a = value1 WHERE  column_b = $3;

to fix this I propose we add something like:

function db_prep_query($qstring, $params, $types){
     $orig_qstring = $qstring;

and

$posa = mb_strpos($qstring, $needle);
 if(!$posa) { $new mb_exception("Error while preparing statement in ".$_SERVER['SCRIPT_FILENAME']. ": Sql :". $orig_qstring .",Error: parameter '$needle' not found ");}

[christoph]

thanks for looking into this.

I think your patch is perfectly sensible.

Please go ahead, and if you find the time, add it to trunk and the 2.5 and 2.6 branches. You can then add a link to the changesets here.

​http://trac.osgeo.org/mapbender/changeset/<revision_number>

If you don't find the time, just assign the ticket to me.

[verenadiewald]

mapbender 2.6: ​http://trac.osgeo.org/mapbender/changeset/4646

mapbender trunk: ​http://trac.osgeo.org/mapbender/changeset/4647