php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #38196 quoteIdentifier() in PDO
Submitted: 2006-07-24 17:49 UTC Modified: 2010-08-27 06:01 UTC
Votes:30
Avg. Score:4.6 ± 0.6
Reproduced:29 of 29 (100.0%)
Same Version:0 (0.0%)
Same OS:11 (37.9%)
From: wasti dot redl at gmx dot net Assigned:
Status: Open Package: PDO related
PHP Version: 5.1.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wasti dot redl at gmx dot net
New email:
PHP Version: OS:

 

 [2006-07-24 17:49 UTC] wasti dot redl at gmx dot net
Description:
------------
It would be nice if PDO supported a quoteIdentifier() method like PEAR::MDB2 does, that quotes strings according to identifier rules of the DBMS. In other words, I need to use arbitrary strings as field or table names in a query and would like a DBMS-independent way of quoting them.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-02 16:01 UTC] jo at feuersee dot de
I agree that the current PDO implementation lacks a portable way to quote SQL identifiers like table or field names. 
Some people will argue that in most cases it's better to avoid quote identifiers at all, and I agree. But every database has it's own list of reserved words which can't be used as a field or table name unless quoted. As it is hardly possible to avoid all reserved words from all databases (to improve portability between database backends), implementing such a method in PDO would be a big help.

Alternative suggestion: instead of adding a new method quoteIdentifier() extend PDO::quote() method to accept a new const PDO::PARAM_IDENTIFIER which works as follows:

$sql = sprintf("SELECT %s FROM %s",
    $pdo->quote('field', PDO::PARAM_IDENTIFIER),
    $pdo->quote('table', PDO::PARAM_IDENTIFIER)
);

$sql would then be 
for MySQL backend: 
SELECT `field` FROM `table`

for SQLite:
SELECT 'field' FROM 'table'
 [2010-08-27 06:01 UTC] aharvey@php.net
-Package: Feature/Change Request +Package: PDO related
 [2010-10-02 10:39 UTC] + at ni-poc dot com
This would be especially handy if you try to extend PDO to allow extended placeholder syntax. In that case you normally simply imply that ` is used as field quote and thus defeat the purpose of using PDO - it isn't cross-DB-compatible anymore.
 [2014-10-08 00:01 UTC] cmanley at xs4all dot nl
Hopefully this important (IMHO) feature will be added before we end up in a geriatric ward.
It has only been 8 years so far.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 18:01:24 2019 UTC