php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #38196 quoteIdentifier() in PDO
Submitted: 2006-07-24 17:49 UTC Modified: 2021-07-16 14:18 UTC
Votes:32
Avg. Score:4.6 ± 0.6
Reproduced:31 of 31 (100.0%)
Same Version:0 (0.0%)
Same OS:11 (35.5%)
From: wasti dot redl at gmx dot net Assigned:
Status: Suspended Package: PDO related
PHP Version: 5.1.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wasti dot redl at gmx dot net
New email:
PHP Version: OS:

 

 [2006-07-24 17:49 UTC] wasti dot redl at gmx dot net 
Description:
------------
It would be nice if PDO supported a quoteIdentifier() method like PEAR::MDB2 does, that quotes strings according to identifier rules of the DBMS. In other words, I need to use arbitrary strings as field or table names in a query and would like a DBMS-independent way of quoting them.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-02 16:01 UTC] jo at feuersee dot de 
I agree that the current PDO implementation lacks a portable way to quote SQL identifiers like table or field names. 
Some people will argue that in most cases it's better to avoid quote identifiers at all, and I agree. But every database has it's own list of reserved words which can't be used as a field or table name unless quoted. As it is hardly possible to avoid all reserved words from all databases (to improve portability between database backends), implementing such a method in PDO would be a big help.

Alternative suggestion: instead of adding a new method quoteIdentifier() extend PDO::quote() method to accept a new const PDO::PARAM_IDENTIFIER which works as follows:

$sql = sprintf("SELECT %s FROM %s",
    $pdo->quote('field', PDO::PARAM_IDENTIFIER),
    $pdo->quote('table', PDO::PARAM_IDENTIFIER)
);

$sql would then be 
for MySQL backend: 
SELECT `field` FROM `table`

for SQLite:
SELECT 'field' FROM 'table'
 [2010-08-27 06:01 UTC] aharvey@php.net
-Package: Feature/Change Request +Package: PDO related
 [2010-10-02 10:39 UTC] + at ni-poc dot com 
This would be especially handy if you try to extend PDO to allow extended placeholder syntax. In that case you normally simply imply that ` is used as field quote and thus defeat the purpose of using PDO - it isn't cross-DB-compatible anymore.
 [2013-09-25 22:12 UTC] aharvey@php.net 
Related To: Bug #65757
 [2014-10-08 00:01 UTC] cmanley at xs4all dot nl 
Hopefully this important (IMHO) feature will be added before we end up in a geriatric ward.
It has only been 8 years so far.
 [2021-03-02 12:51 UTC] divinity76+spam at gmail dot com 
i too want a PDO::quoteIdentifier.

it's been 10.5 years and counting..
 [2021-07-16 14:18 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2021-07-16 14:18 UTC] cmb@php.net 
This requires someone to go through the RFC process[1].  For the
time being, I suspend this ticket.

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 05:00:01 2025 UTC