php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36870 odbc_execute can't insert a string that starts and ends with a single quote
Submitted: 2006-03-27 12:08 UTC Modified: 2006-04-10 00:40 UTC
From: mjs at beebo dot org Assigned:
Status: Not a bug Package: ODBC related
PHP Version: 5.1.2 OS: Windows
Private report: No CVE-ID: None
 [2006-03-27 12:08 UTC] mjs at beebo dot org
Description:
------------
odbc_execute has a feature whereby if the string to be inserted starts and ends with a single quote, the string is interpreted as a filename whose contents are interpreted as the value of the placeholder.

There does not appear to be a way to insert a string that begins and ends with a single quote--neither backslashing nor double-quoting works, and it appears from reading the source (php_odbc.c:1014) that nothing else will either.

Reproduce code:
---------------
$sth = odbc_prepare($dbh, "INSERT INTO people(name) VALUES(?)");
$res = odbc_execute($sth, array('\'The Count\''));


Expected result:
----------------
The string \'The Count\' inserted into the database.

Actual result:
--------------
The string is interpreded as a filename, resulting in the erro "Can't open file XXX" in the error log.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-04-10 00:40 UTC] edink@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is documented limitation. See http://www.php.net/manual/en/function.odbc-execute.php
 [2016-01-26 14:42 UTC] lehmann at cnm dot de
Just because something is documented, it is not a desirable feature. I'm pretty sure that most of the database developers - although the documentation formally exists - are not aware of this unexpected weirdness.

If it was a feature, you could explicitly decide to use it. In this case however, you cannot even opt-out or disable it. You are forced to use the less secure odbc_exec() instead, which doesn't allow prepared statements. Or you are forced to code workarounds like adding a blank to the string on PHP side and use RTRIM(?) on database side to remove it.

So while 0,01% of the developers may find this feature useful, 99,99% won't even be aware of it and introduce a security hole into their applications unwillingly. I think it's time to clean up and make those rare users make us of file_get_contents() instead.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Feb 25 06:01:25 2020 UTC