PHP :: Bug #36870 :: odbc_execute can't insert a string that starts and ends with a single quote

Bug #36870	odbc_execute can't insert a string that starts and ends with a single quote
Submitted:	2006-03-27 12:08 UTC	Modified:	2006-04-10 00:40 UTC
From:	mjs at beebo dot org	Assigned:
Status:	Not a bug	Package:	ODBC related
PHP Version:	5.1.2	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mjs at beebo dot org
New email:
PHP Version:		OS:

New Comment:

[2006-03-27 12:08 UTC] mjs at beebo dot org

Description:
------------
odbc_execute has a feature whereby if the string to be inserted starts and ends with a single quote, the string is interpreted as a filename whose contents are interpreted as the value of the placeholder.

There does not appear to be a way to insert a string that begins and ends with a single quote--neither backslashing nor double-quoting works, and it appears from reading the source (php_odbc.c:1014) that nothing else will either.

Reproduce code:
---------------
$sth = odbc_prepare($dbh, "INSERT INTO people(name) VALUES(?)");
$res = odbc_execute($sth, array('\'The Count\''));


Expected result:
----------------
The string \'The Count\' inserted into the database.

Actual result:
--------------
The string is interpreded as a filename, resulting in the erro "Can't open file XXX" in the error log.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-10 00:40 UTC] edink@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is documented limitation. See http://www.php.net/manual/en/function.odbc-execute.php

[2016-01-26 14:42 UTC] lehmann at cnm dot de

Just because something is documented, it is not a desirable feature. I'm pretty sure that most of the database developers - although the documentation formally exists - are not aware of this unexpected weirdness.

If it was a feature, you could explicitly decide to use it. In this case however, you cannot even opt-out or disable it. You are forced to use the less secure odbc_exec() instead, which doesn't allow prepared statements. Or you are forced to code workarounds like adding a blank to the string on PHP side and use RTRIM(?) on database side to remove it.

So while 0,01% of the developers may find this feature useful, 99,99% won't even be aware of it and introduce a security hole into their applications unwillingly. I think it's time to clean up and make those rare users make us of file_get_contents() instead.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 16 23:01:33 2025 UTC