Edit report at https://bugs.php.net/bug.php?id=63419&edit=1
ID: 63419 User updated by: daniel dot kinzler at wikimedia dot de Reported by: daniel dot kinzler at wikimedia dot de Summary: PDO::quote for SQLite truncates strings on \0 Status: Open Type: Bug Package: PDO related Operating System: Ubuntu 11.10 PHP Version: 5.3.18 Block user comment: N Private report: N New Comment: Sorry, here's the correct version of the test script: <?php // This contains ASCII 0x00 aka \0 $data = "x\0y"; $pdo = new PDO( "sqlite:test", '', '', array( PDO::ATTR_PERSISTENT => false ) ); $result = $pdo->quote( $data ); print "Raw: " . $result . "\n"; print "Hex: " . bin2hex( $result ) . "\n"; Previous Comments: ------------------------------------------------------------------------ [2012-11-02 11:06:17] daniel dot kinzler at wikimedia dot de Description: ------------ PDO::quote for SQLite is not binary safe, it silently truncates strings on \0. Either, \0 should be supported, or the method should trigger a warning if \0 is found and return false. Note that the same problem exists with SQLite3::escapeString, see Bug 62361. In that report, someone pointed to SQLite's mprintf as the culprit <http://www.sqlite.org/c3ref/mprintf.html>. From mprintf's documentation: "The %q option works like %s in that it substitutes a nul-terminated string from the argument list." It operates on null-terminated strings, so null must not be present in strings. PDO needs to work around this fact. Test script: --------------- <?php // This contains ASCII 0x00 aka \0 $data = "x\0y"; $pdo = new PDO( "sqlite:test", '', '', array( PDO::ATTR_PERSISTENT => false ) ); print "PDO/SQLite: " . bin2hex( $pdo->quote( $data ) ) . "\n"; Expected result: ---------------- Raw: 'xy' Hex: 2778007827 Note that the 'xy' above is intended to contain an invisible null character. Alternatively, the hex representation could be used: Raw: x'2778007827'. That would probably be the safest option, and should Just Work with existing code. Actual result: -------------- Raw: 'x' Hex: 277827 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63419&edit=1