ID: 35795
User updated by: spaze-bugs at exploited dot cz
Reported By: spaze-bugs at exploited dot cz
Status: Bogus
Bug Type: PDO related
PHP Version: 5.1.1
New Comment:
PDO has no way to know, what I've done, you're right. But I don't have
a way to tell PDO that the environment got changed and that it should
quote a little different. I don't mean that it should do runtime checks
(like SELECT @@sql_mode), but some specific attibute, as I've already
written.
Thanks for pointing me to the native prepared statements, but as I've
read the source a little, I see that whether to use native prepared
statements or not, is a compile-time option and it's not exposed by ie.
phpinfo(). So some kind of end-user has no way to know, if native
prepared statements are used or not, especially if he's using some
precompiled binary ie. Windows distribution. Am I right?
Well, it seems to me that a solution to my problem with quoting in ANSI
mode is turning off the ANSI mode (and quote column names with backtick)
more than native prepare statements.
Previous Comments:
------------------------------------------------------------------------
[2005-12-24 19:04:31] [EMAIL PROTECTED]
When you issue queries that change the database session environment
like that, PDO has no way to know what you've done without performing
all kinds of checks on each query.
There's no reason to slow down the common case for everyone else.
All your problems are solved by using real prepared statements, where
explicit quoting is not required.
------------------------------------------------------------------------
[2005-12-24 18:58:36] spaze-bugs at exploited dot cz
Description:
------------
I'm running MySQL in ANSI SQL mode [1], which includes the ANSI_QUOTES
mode. That means
/Treat " as an identifier quote character (like the ` quote
character) and not as a string quote character./
When I use ie. prepared statements I get these queries in the general
query log
INSERT INTO "t_images" ("hash", "width", "height", "imageformat_id")
VALUES ("ff2204530628d3c589843ef0b37d344a", "500", "500", NULL)
Which is bad, the strings (the hash) in the VALUES (...) section should
be quoted by the ' character. Don't know what would be the best
solution, but I think some documented MySQL specific PDO attribute
would be Ok.
Thanks for reviewing this issue.
[1] http://dev.mysql.com/doc/refman/4.1/en/server-sql-mode.html
Reproduce code:
---------------
$dbh = new PDO('mysql:host=mysql41;dbname=test', 'root', '');
$dbh->exec("SET SESSION sql_mode='ANSI'");
echo $dbh->quote('foo');
Expected result:
----------------
'foo'
Actual result:
--------------
"foo"
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35795&edit=1
