PHP :: Bug #34837 :: sqlite_escape_string() fails to escape double quotes correctly

Bug #34837

sqlite_escape_string() fails to escape double quotes correctly

Submitted:

2005-10-12 12:28 UTC

Modified:

2005-10-12 12:50 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

veter at oxarchdigital dot com

Assigned:

Status:

Wont fix

Package:

SQLite related

PHP Version:

5.1.0RC1

OS:

Win32

Private report:

CVE-ID:

None

View Developer Edit

[2005-10-12 12:28 UTC] veter at oxarchdigital dot com

Description:
------------
sqlite_escape_string() replaces single quotes fine (' becomes ''), whilst it fails to replace double quotes, which are still used in some odd SQL code, and which are confusing SQLite. Should there be another optional parameter selecting which quotes to escape?

Reproduce code:
---------------
$sValue = sqlite_escape_string('This string contains "double quotes"');
// Note " not ' used in this SQL statement!
$sQuery = 'INSERT INTO testtab(testfld) VALUES("' . $sValue . '")';
sqlite_query($linkID, $sQuery);

Expected result:
----------------
Successful INSERT operation

Actual result:
--------------
SQL failure

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-12 12:50 UTC] tony2001@php.net

sqlite_escape_string() is just wrapper for sqlite_mprintf("%q", string) call.
In SQLite v2 this call doubles only single quotes, while in SQLite v3 it doubles ",' and \.
I don't think sqlite_escape_string() will change ever, mostly for BC reasons.
SQLite v3 is supported by pdo_sqlite.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 10:00:02 2025 UTC