PHP :: Bug #36870 :: odbc_execute can't insert a string that starts and ends with a single quote

Bug #36870	odbc_execute can't insert a string that starts and ends with a single quote
Submitted:	2006-03-27 12:08 UTC	Modified:	2006-04-10 00:40 UTC
From:	mjs at beebo dot org	Assigned:
Status:	Not a bug	Package:	ODBC related
PHP Version:	5.1.2	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-03-27 12:08 UTC] mjs at beebo dot org

Description:
------------
odbc_execute has a feature whereby if the string to be inserted starts and ends with a single quote, the string is interpreted as a filename whose contents are interpreted as the value of the placeholder.

There does not appear to be a way to insert a string that begins and ends with a single quote--neither backslashing nor double-quoting works, and it appears from reading the source (php_odbc.c:1014) that nothing else will either.

Reproduce code:
---------------
$sth = odbc_prepare($dbh, "INSERT INTO people(name) VALUES(?)");
$res = odbc_execute($sth, array('\'The Count\''));


Expected result:
----------------
The string \'The Count\' inserted into the database.

Actual result:
--------------
The string is interpreded as a filename, resulting in the erro "Can't open file XXX" in the error log.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-10 00:40 UTC] edink@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is documented limitation. See http://www.php.net/manual/en/function.odbc-execute.php

[2016-01-26 14:42 UTC] lehmann at cnm dot de

Just because something is documented, it is not a desirable feature. I'm pretty sure that most of the database developers - although the documentation formally exists - are not aware of this unexpected weirdness.

If it was a feature, you could explicitly decide to use it. In this case however, you cannot even opt-out or disable it. You are forced to use the less secure odbc_exec() instead, which doesn't allow prepared statements. Or you are forced to code workarounds like adding a blank to the string on PHP side and use RTRIM(?) on database side to remove it.

So while 0,01% of the developers may find this feature useful, 99,99% won't even be aware of it and introduce a security hole into their applications unwillingly. I think it's time to clean up and make those rare users make us of file_get_contents() instead.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 19:00:02 2025 UTC