Bug #62361 [Com]: SQLite3::escapeString

Wed, 27 Jun 2012 06:43:20 -0700 

Edit report at https://bugs.php.net/bug.php?id=62361&edit=1

 ID:                 62361
 Comment by:         a...@php.net
 Reported by:        lgynove at 163 dot com
 Summary:            SQLite3::escapeString
 Status:             Verified
 Type:               Bug
 Package:            SQLite related
 Operating System:   windows xp
 PHP Version:        5.3.14
 Block user comment: N
 Private report:     N

 New Comment:

That's not a php bug i'd say. We rely here on the functionality of 
http://www.sqlite.org/c3ref/mprintf.html using %q format option. And what their 
manual says

---
The %q option works like %s in that it substitutes a nul-terminated string from 
the argument list. But %q also doubles every '\'' character. %q is designed for 
use inside a string literal. By doubling each '\'' character it escapes that 
character and allows it to be inserted into the string.
---

Escaping '\'' and '\0' can be of course easily implemented. But, as sqlite3 
itself has no other string formatting options, I'd really doubt the usefulness 
and correctness of such an implementation. Furthermore, if such a data would be 
selected back from the db, some code would be needed to restore all that 
escaped '\0' bytes and whatever else.

It might make sense to use base64 or alike to insert binary data into sqlite3 i 
think.


Previous Comments:
------------------------------------------------------------------------
[2012-06-24 21:05:17] fel...@php.net

In fact actually escapeString() method is not binary-safe.

------------------------------------------------------------------------
[2012-06-19 05:28:29] lgynove at 163 dot com

Description:
------------
this bug in sqlite3,not sqlite.
use picture file (*.jpg) is not work
use *.txt is work ok

if use sqlite function (sqlite_escape_string) is work ok!


Test script:
---------------
$db = new sqlite3(dirname(__FILE__) . '/test.sqlite');

$str = file_get_contents('d:/www/test.jpg');
echo strlen($str),"\n";
$str = $db->escapeString($str);
echo strlen($str),"\n";

$str = file_get_contents('d:/www/test.txt');
echo strlen($str),"\n";
$str = $db->escapeString($str);
echo strlen($str),"\n";

Expected result:
----------------
5000
5000
35
35

Actual result:
--------------
5000
4
35
35


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62361&edit=1

Reply via email to