|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-10-12 12:28 UTC] veter at oxarchdigital dot com
Description:
------------
sqlite_escape_string() replaces single quotes fine (' becomes ''), whilst it fails to replace double quotes, which are still used in some odd SQL code, and which are confusing SQLite. Should there be another optional parameter selecting which quotes to escape?
Reproduce code:
---------------
$sValue = sqlite_escape_string('This string contains "double quotes"');
// Note " not ' used in this SQL statement!
$sQuery = 'INSERT INTO testtab(testfld) VALUES("' . $sValue . '")';
sqlite_query($linkID, $sQuery);
Expected result:
----------------
Successful INSERT operation
Actual result:
--------------
SQL failure
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 26 18:01:31 2024 UTC |
sqlite_escape_string() is just wrapper for sqlite_mprintf("%q", string) call. In SQLite v2 this call doubles only single quotes, while in SQLite v3 it doubles ",' and \. I don't think sqlite_escape_string() will change ever, mostly for BC reasons. SQLite v3 is supported by pdo_sqlite.