|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-10-05 13:02 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2020-10-05 13:02 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 12:01:31 2024 UTC |
Description: ------------ currently odbc_execute is declared as:- bool odbc_execute ( resource $result_id [, array $parameters_array ] ) But parameters_array has a quirk i.e:- Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder. I suggest that an additional argument be added i.e. bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] ) By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename. This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.