php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34837 sqlite_escape_string() fails to escape double quotes correctly
Submitted: 2005-10-12 12:28 UTC Modified: 2005-10-12 12:50 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: veter at oxarchdigital dot com Assigned:
Status: Wont fix Package: SQLite related
PHP Version: 5.1.0RC1 OS: Win32
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: veter at oxarchdigital dot com
New email:
PHP Version: OS:

 

 [2005-10-12 12:28 UTC] veter at oxarchdigital dot com
Description:
------------
sqlite_escape_string() replaces single quotes fine (' becomes ''), whilst it fails to replace double quotes, which are still used in some odd SQL code, and which are confusing SQLite. Should there be another optional parameter selecting which quotes to escape?

Reproduce code:
---------------
$sValue = sqlite_escape_string('This string contains "double quotes"');
// Note " not ' used in this SQL statement!
$sQuery = 'INSERT INTO testtab(testfld) VALUES("' . $sValue . '")';
sqlite_query($linkID, $sQuery);

Expected result:
----------------
Successful INSERT operation

Actual result:
--------------
SQL failure


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-12 12:50 UTC] tony2001@php.net
sqlite_escape_string() is just wrapper for sqlite_mprintf("%q", string) call.
In SQLite v2 this call doubles only single quotes, while in SQLite v3 it doubles ",' and \.
I don't think sqlite_escape_string() will change ever, mostly for BC reasons.
SQLite v3 is supported by pdo_sqlite. 
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Aug 15 12:01:25 2020 UTC