ID: 35795
Updated by: [EMAIL PROTECTED]
Reported By: spaze-bugs at exploited dot cz
-Status: Assigned
+Status: Closed
Bug Type: PDO related
PHP Version: 5.1.1
Assigned To: wez
New Comment:
MySQL driver now uses ANSI complain quoting style by default.
Previous Comments:
------------------------------------------------------------------------
[2005-12-25 20:27:24] [EMAIL PROTECTED]
It's not a compile time option.
If your environment supports native statements, they will work. If it
doesn't, PDO will emulate them.
Using prepared statements is strongly recommended over manually
building queries, for performance and readability, and because it
reduces the risk of SQL injection.
------------------------------------------------------------------------
[2005-12-25 17:37:21] [EMAIL PROTECTED]
Assigned to the PDO maintainer.
------------------------------------------------------------------------
[2005-12-25 13:19:56] spaze-bugs at exploited dot cz
According to MySQL manual
A string is a sequence of characters, surrounded by either single
quote (') or double quote (") characters. [...] If the server SQL
mode has ANSI_QUOTES enabled, string literals can be quoted only with
single quotes.
So the quoter should use single quotes with emulated prepared
statements (instead of double quotes) to be compatible with both SQL
modes.
Thus, reopening.
------------------------------------------------------------------------
[2005-12-24 21:54:09] spaze-bugs at exploited dot cz
PDO has no way to know, what I've done, you're right. But I don't have
a way to tell PDO that the environment got changed and that it should
quote a little different. I don't mean that it should do runtime checks
(like SELECT @@sql_mode), but some specific attibute, as I've already
written.
Thanks for pointing me to the native prepared statements, but as I've
read the source a little, I see that whether to use native prepared
statements or not, is a compile-time option and it's not exposed by ie.
phpinfo(). So some kind of end-user has no way to know, if native
prepared statements are used or not, especially if he's using some
precompiled binary ie. Windows distribution. Am I right?
Well, it seems to me that a solution to my problem with quoting in ANSI
mode is turning off the ANSI mode (and quote column names with backtick)
more than native prepare statements.
------------------------------------------------------------------------
[2005-12-24 19:04:31] [EMAIL PROTECTED]
When you issue queries that change the database session environment
like that, PDO has no way to know what you've done without performing
all kinds of checks on each query.
There's no reason to slow down the common case for everyone else.
All your problems are solved by using real prepared statements, where
explicit quoting is not required.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/35795
--
Edit this bug report at http://bugs.php.net/?id=35795&edit=1
