diff --git a/core/lib/Drupal/Core/Database/Connection.php b/core/lib/Drupal/Core/Database/Connection.php
index a56bcf6..18283ce 100644
--- a/core/lib/Drupal/Core/Database/Connection.php
+++ b/core/lib/Drupal/Core/Database/Connection.php
@@ -529,7 +529,7 @@ public function makeComment($comments) {
    *   A sanitized version of the query comment string.
    */
   protected function filterComment($comment = '') {
-    return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment);
+    return strtr($comment, ['*' => ' * ']);
   }
 
   /**
diff --git a/core/modules/system/src/Tests/Database/SelectTest.php b/core/modules/system/src/Tests/Database/SelectTest.php
index 641cdc2..9237e2b 100644
--- a/core/modules/system/src/Tests/Database/SelectTest.php
+++ b/core/modules/system/src/Tests/Database/SelectTest.php
@@ -57,10 +57,47 @@ function testVulnerableComment() {
     $records = $result->fetchAll();
 
     $query = (string) $query;
-    $expected = "/* Testing query comments SELECT nid FROM {node}; -- */";
+    $expected = "/* Testing query comments  * / SELECT nid FROM {node}; -- */ SELECT test.name AS name, test.age AS age\nFROM \n{test} test";
 
     $this->assertEqual(count($records), 4, 'Returned the correct number of rows.');
     $this->assertNotIdentical(FALSE, strpos($query, $expected), 'The flattened query contains the sanitised comment string.');
+
+    $connection = Database::getConnection();
+    foreach ($this->makeCommentsProvider() as $test_set) {
+      list($expected, $comments) = $test_set;
+      $this->assertEqual($expected, $connection->makeComment($comments));
+    }
+  }
+
+  /**
+   * Provides expected and input values for testVulnerableComment().
+   */
+  function makeCommentsProvider() {
+    return [
+      [
+        '/*  */ ',
+        [''],
+      ],
+      // Try and close the comment early.
+      [
+        '/* Exploit  * / DROP TABLE node; -- */ ',
+        ['Exploit */ DROP TABLE node; --'],
+      ],
+      // Variations on comment closing.
+      [
+        '/* Exploit  * / * / DROP TABLE node; -- */ ',
+        ['Exploit */*/ DROP TABLE node; --'],
+      ],
+      [
+        '/* Exploit  *  * // DROP TABLE node; -- */ ',
+        ['Exploit **// DROP TABLE node; --'],
+      ],
+      // Try closing the comment in the second string which is appended.
+      [
+        '/* Exploit  * / DROP TABLE node; --; Another try  * / DROP TABLE node; -- */ ',
+        ['Exploit */ DROP TABLE node; --', 'Another try */ DROP TABLE node; --'],
+      ],
+    ];
   }
 
   /**