php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #38196 quoteIdentifier() in PDO
Submitted: 2006-07-24 17:49 UTC Modified: 2021-07-16 14:18 UTC
Votes:32
Avg. Score:4.6 ± 0.6
Reproduced:31 of 31 (100.0%)
Same Version:0 (0.0%)
Same OS:11 (35.5%)
From: wasti dot redl at gmx dot net Assigned:
Status: Suspended Package: PDO related
PHP Version: 5.1.4 OS: Linux
Private report: No CVE-ID: None
 [2006-07-24 17:49 UTC] wasti dot redl at gmx dot net
Description:
------------
It would be nice if PDO supported a quoteIdentifier() method like PEAR::MDB2 does, that quotes strings according to identifier rules of the DBMS. In other words, I need to use arbitrary strings as field or table names in a query and would like a DBMS-independent way of quoting them.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-02 16:01 UTC] jo at feuersee dot de
I agree that the current PDO implementation lacks a portable way to quote SQL identifiers like table or field names. 
Some people will argue that in most cases it's better to avoid quote identifiers at all, and I agree. But every database has it's own list of reserved words which can't be used as a field or table name unless quoted. As it is hardly possible to avoid all reserved words from all databases (to improve portability between database backends), implementing such a method in PDO would be a big help.

Alternative suggestion: instead of adding a new method quoteIdentifier() extend PDO::quote() method to accept a new const PDO::PARAM_IDENTIFIER which works as follows:

$sql = sprintf("SELECT %s FROM %s",
    $pdo->quote('field', PDO::PARAM_IDENTIFIER),
    $pdo->quote('table', PDO::PARAM_IDENTIFIER)
);

$sql would then be 
for MySQL backend: 
SELECT `field` FROM `table`

for SQLite:
SELECT 'field' FROM 'table'
 [2010-08-27 06:01 UTC] aharvey@php.net
-Package: Feature/Change Request +Package: PDO related
 [2010-10-02 10:39 UTC] + at ni-poc dot com
This would be especially handy if you try to extend PDO to allow extended placeholder syntax. In that case you normally simply imply that ` is used as field quote and thus defeat the purpose of using PDO - it isn't cross-DB-compatible anymore.
 [2014-10-08 00:01 UTC] cmanley at xs4all dot nl
Hopefully this important (IMHO) feature will be added before we end up in a geriatric ward.
It has only been 8 years so far.
 [2021-03-02 12:51 UTC] divinity76+spam at gmail dot com
i too want a PDO::quoteIdentifier.

it's been 10.5 years and counting..
 [2021-07-16 14:18 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2021-07-16 14:18 UTC] cmb@php.net
This requires someone to go through the RFC process[1].  For the
time being, I suspend this ticket.

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC