Fix escaped placeholder and interpolate paramters with non sequential numeric keys (#2073)

FlashBlack · web-flow · commit db7562db7004 · 2025-10-04T20:30:35.000+02:00
diff --git a/src/Twig/DoctrineExtension.php b/src/Twig/DoctrineExtension.php
@@ -15,10 +15,14 @@
 use Twig\TwigFilter;
 
 use function addslashes;
+use function array_filter;
 use function array_key_exists;
+use function array_keys;
 use function array_merge;
+use function array_values;
 use function bin2hex;
 use function class_exists;
+use function count;
 use function implode;
 use function is_array;
 use function is_bool;
@@ -121,26 +125,26 @@ public function replaceQueryParameters($query, $parameters)
             $parameters = $parameters->getValue(true);
         }
 
-        $i = 0;
-
-        if (! array_key_exists(0, $parameters) && array_key_exists(1, $parameters)) {
-            $i = 1;
+        $keys = array_keys($parameters);
+        if (count(array_filter($keys, 'is_int')) === count($keys)) {
+            $parameters = array_values($parameters);
         }
 
+        $i = 0;
+
         return preg_replace_callback(
-            '/\?|((?<!:):[a-z0-9_]+)/i',
+            '/(?<!\?)\?(?!\?)|(?<!:)(:[a-z0-9_]+)/i',
             static function ($matches) use ($parameters, &$i) {
                 $key = substr($matches[0], 1);
 
                 if (! array_key_exists($i, $parameters) && ! array_key_exists($key, $parameters)) {
                     return $matches[0];
                 }
 
-                $value  = array_key_exists($i, $parameters) ? $parameters[$i] : $parameters[$key];
-                $result = DoctrineExtension::escapeFunction($value);
+                $value = array_key_exists($i, $parameters) ? $parameters[$i] : $parameters[$key];
                 $i++;
 
-                return $result;
+                return DoctrineExtension::escapeFunction($value);
             },
             $query,
         );
diff --git a/tests/Twig/DoctrineExtensionTest.php b/tests/Twig/DoctrineExtensionTest.php
@@ -23,13 +23,13 @@ public function testReplaceQueryParametersWithPostgresCasting(): void
         $this->assertEquals('a=1 OR (1)::string OR b=2', $result);
     }
 
-    public function testReplaceQueryParametersWithStartingIndexAtOne(): void
+    public function testReplaceQueryParametersWithNonSequentialNumericKeys(): void
     {
         $extension  = new DoctrineExtension();
         $query      = 'a=? OR b=?';
         $parameters = [
-            1 => 1,
-            2 => 2,
+            2 => 1,
+            5 => 2,
         ];
 
         $result = $extension->replaceQueryParameters($query, $parameters);
@@ -74,6 +74,16 @@ public function testReplaceQueryParametersWithEmptyArray(): void
         $this->assertEquals('IN (NULL)', $result);
     }
 
+    public function testReplaceQueryParametersWithEscapedParameterPlaceholder(): void
+    {
+        $extension  = new DoctrineExtension();
+        $query      = 'column->>field ?? ?';
+        $parameters = ['foo'];
+
+        $result = $extension->replaceQueryParameters($query, $parameters);
+        $this->assertEquals("column->>field ?? 'foo'", $result);
+    }
+
     public function testEscapeBinaryParameter(): void
     {
         $binaryString = pack('H*', '9d40b8c1417f42d099af4782ec4b20b6');
