From e047fc92d647cacddce5abdd7e8b8cf33852624b Mon Sep 17 00:00:00 2001
From: Matt Lawrence <matthew.lawrence@payprop.com>
Date: Fri, 3 Jan 2025 11:57:52 +0000
Subject: [PATCH] Use safer quoting for placeholders

Switch to mysql_real_escape_string_quote for placeholder replacement,
allowing placeholders to be used when NO_BACKSLASH_ESCAPES is in effect.
---
 dbdimp.c    | 2 +-
 t/17quote.t | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/dbdimp.c b/dbdimp.c
index 27d05570..39db0336 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -636,7 +636,7 @@ static char *parse_params(
             if (!is_num)
             {
               *ptr++ = '\'';
-              ptr += mysql_real_escape_string(sock, ptr, valbuf, vallen);
+              ptr += mysql_real_escape_string_quote(sock, ptr, valbuf, vallen, '\'');
               *ptr++ = '\'';
             }
             else
diff --git a/t/17quote.t b/t/17quote.t
index 93ca63a6..911b3986 100644
--- a/t/17quote.t
+++ b/t/17quote.t
@@ -23,13 +23,19 @@ my @results_ansi = (qw/ 'foo' 'foo\'bar' 'foo\\\\bar'/);
 my @results_no_backlslash = (qw/ 'foo' 'foo''bar' 'foo\\bar'/);
 my @results = (\@results_empty, \@results_ansi, \@results_no_backlslash);
 
-plan tests => (@sqlmodes * @words * 2 + 1);
+plan tests => (@sqlmodes * @words * 3 + 1);
 
 while (my ($i, $sqlmode) = each @sqlmodes) {
   $dbh->do("SET sql_mode=?", undef,  $sqlmode eq "empty" ? "" : $sqlmode);
   for my $j (0..@words-1) {
     ok $dbh->quote($words[$j]);
     cmp_ok($dbh->quote($words[$j]), "eq", $results[$i][$j], "$sqlmode $words[$j]");
+
+    is(
+        $dbh->selectrow_array('SELECT ?', undef, $words[$j]),
+        $words[$j],
+        "Round-tripped '$words[$j]' through a placeholder query"
+    );
   }
 }