Sanitize null bytes before quoteValue() on PHP 8.5+ in SQLite. (#20673)

framework/CHANGELOG.md

@@ -81,6 +81,7 @@ Yii Framework 2 Change Log
 - Bug #20665: Fix PHP `8.5` `null` array offset deprecation warnings in `yii\build\controllers\ReleaseController` class (terabytesoftw)
 - Bug #20658: Add missing generics in `yii\console`, `yii\captcha`, `yii\caching` and `yii\behaviors` namespaces (mspirkov)
 - Bug #20666: Add missing generics in `yii\base`, `yii\console`, `yii\filters` and `yii\web` namespaces (mspirkov)
+- Bug #20673: Sanitize `null` bytes before `quoteValue()` on PHP 8.5+ in SQLite (terabytesoftw)
 - Bug #20671: Fix PHPDoc annotations in `yii\base`, `yii\console`, `yii\web` and `yii\widgets` namespaces (mspirkov)
 
 

framework/db/sqlite/Schema.php

@@ -491,4 +491,24 @@ class Schema extends BaseSchema implements ConstraintFinderInterface
     {
         return strncmp($identifier, 'sqlite_', 7) === 0;
     }
+
+    /**
+     * @inheritdoc
+     *
+     * Since PHP 8.5, `PDO::quote()` throws a ValueError when the string contains null bytes ("\0").
+     *
+     * This method sanitizes such bytes before calling the parent implementation to avoid exceptions while maintaining
+     * backward compatibility.
+     *
+     * @link https://github.com/php/php-src/commit/0a10f6db26875e0f1d0f867307cee591d29a43c7
+     */
+    public function quoteValue($value)
+    {
+        if (PHP_VERSION_ID >= 80500 && is_string($value) && str_contains($value, "\0")) {
+            // Sanitize null bytes to prevent PDO ValueError on PHP 8.5+
+            $value = str_replace("\0", '', $value);
+        }
+
+        return parent::quoteValue($value);
+    }
 }