From: daniel dot kinzler at wikimedia dot de Operating system: Ubuntu 11.10 PHP version: 5.3.18 Package: PDO related Bug Type: Bug Bug description:PDO::quote for SQLite truncates strings on \0
Description: ------------ PDO::quote for SQLite is not binary safe, it silently truncates strings on \0. Either, \0 should be supported, or the method should trigger a warning if \0 is found and return false. Note that the same problem exists with SQLite3::escapeString, see Bug 62361. In that report, someone pointed to SQLite's mprintf as the culprit <http://www.sqlite.org/c3ref/mprintf.html>. From mprintf's documentation: "The %q option works like %s in that it substitutes a nul-terminated string from the argument list." It operates on null-terminated strings, so null must not be present in strings. PDO needs to work around this fact. Test script: --------------- <?php // This contains ASCII 0x00 aka \0 $data = "x\0y"; $pdo = new PDO( "sqlite:test", '', '', array( PDO::ATTR_PERSISTENT => false ) ); print "PDO/SQLite: " . bin2hex( $pdo->quote( $data ) ) . "\n"; Expected result: ---------------- Raw: 'xy' Hex: 2778007827 Note that the 'xy' above is intended to contain an invisible null character. Alternatively, the hex representation could be used: Raw: x'2778007827'. That would probably be the safest option, and should Just Work with existing code. Actual result: -------------- Raw: 'x' Hex: 277827 -- Edit bug report at https://bugs.php.net/bug.php?id=63419&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63419&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63419&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63419&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63419&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63419&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63419&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63419&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63419&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63419&r=support Expected behavior: https://bugs.php.net/fix.php?id=63419&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63419&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63419&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63419&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63419&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63419&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63419&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63419&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63419&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63419&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63419&r=mysqlcfg
