php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66495 fetchAllFiltered() method or alike for PDO
Submitted: 2014-01-16 14:40 UTC Modified: 2019-05-15 20:34 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: aniismovsa at gmail dot com Assigned:
Status: Wont fix Package: PDO related
PHP Version: 5.5.8 OS: any
Private report: No CVE-ID: None
 [2014-01-16 14:40 UTC] aniismovsa at gmail dot com
Description:
------------
Hello. I think it would be very useful to have otput filtering built in PDO. For example if use fetchAll() I get raw data which might have XSS javascript inside. Then I have to filter it somehow e.g. htmlspecialchars. 
I think it would be great if such filtering could be done with method like fetchAllFiltered(array('number','string','html');
For example if i have a table posts and it looks like id, title, body then when calling fetchAllFiltered('number','string','html') i would get id sanitized as a number, title sanitized as a string or simply with htmlspecialchars() and a body which would get sanitized as html. e.g. no javascript inside, but all html tags present.
 Currently to filter the data coming from database usually is used filter_var or htmlspecialchars or anything else which i think is one more step in development which could be dropped using fetchAllFiltered().
 Also i think that filtering could be added in default fetch methods of PDO as an array argument which describes filtering of output for those methods. 
For example: fetchAll(array('number',string','html')); and we get the filtered output.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 14:39 UTC] narf at devilix dot net
-1 ... or rather -2

XSS (or any kind of output filtering) isn't PDO's job.
 [2017-10-24 08:29 UTC] kalle@php.net
-Package: PDO Core +Package: PDO related
 [2019-05-15 20:34 UTC] peehaa@php.net
-Status: Open +Status: Wont fix
 [2019-05-15 20:34 UTC] peehaa@php.net
Handling data in a way to prevent specific kinds of attacks should be done at the place where it is used. For the specific kinds of attacks you mentioned it makes no sense for the database layer to try (and fail to) handle this.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC