Database: SqlPreprocessor ignores placeholders in comments [Closes nette/nette#1293]

Author: dg

src/Database/SqlPreprocessor.php

@@ -79,7 +79,7 @@ public function process($params)
 			} else {
 				$res[] = Nette\Utils\Strings::replace(
 					$param,
-					'~\'.*?\'|".*?"|\?|\b(?:INSERT|REPLACE|UPDATE|WHERE|HAVING|ORDER BY|GROUP BY)\b~si',
+					'~\'.*?\'|".*?"|\?|\b(?:INSERT|REPLACE|UPDATE|WHERE|HAVING|ORDER BY|GROUP BY)\b|/\*.*?\*/|--[^\n]*~si',
 					array($this, 'callback')
 				);
 			}
@@ -93,7 +93,7 @@ public function process($params)
 	public function callback($m)
 	{
 		$m = $m[0];
-		if ($m[0] === "'" || $m[0] === '"') { // string
+		if ($m[0] === "'" || $m[0] === '"' || $m[0] === '/' || $m[0] === '-') { // string or comment
 			return $m;
 
 		} elseif ($m === '?') { // placeholder

tests/Database/SqlPreprocessor.phpt

@@ -57,6 +57,28 @@ test(function() use ($preprocessor) {
 });
 
 
+test(function() use ($preprocessor) { // comments
+	list($sql, $params) = $preprocessor->process(array("SELECT id --?\nFROM author WHERE id = ?", 11));
+	Assert::same( "SELECT id --?\nFROM author WHERE id = 11", $sql );
+	Assert::same( array(), $params );
+
+	list($sql, $params) = $preprocessor->process(array("SELECT id /* ? \n */FROM author WHERE id = ? --*/", 11));
+	Assert::same( "SELECT id /* ? \n */FROM author WHERE id = 11 --*/", $sql );
+	Assert::same( array(), $params );
+});
+
+
+test(function() use ($preprocessor) { // strings
+	list($sql, $params) = $preprocessor->process(array("SELECT id, '?' FROM author WHERE id = ?", 11));
+	Assert::same( "SELECT id, '?' FROM author WHERE id = 11", $sql );
+	Assert::same( array(), $params );
+
+	list($sql, $params) = $preprocessor->process(array('SELECT id, "?" FROM author WHERE id = ?', 11));
+	Assert::same( 'SELECT id, "?" FROM author WHERE id = 11', $sql );
+	Assert::same( array(), $params );
+});
+
+
 test(function() use ($preprocessor) { // where
 	list($sql, $params) = $preprocessor->process(array('SELECT id FROM author WHERE', array(
 		'id' => NULL,