PHP :: Request #38196 :: quoteIdentifier() in PDO

quoteIdentifier() in PDO

Submitted:

2006-07-24 17:49 UTC

Modified:

2010-08-27 06:01 UTC

Votes:	30
Avg. Score:	4.6 ± 0.6
Reproduced:	29 of 29 (100.0%)
Same Version:	0 (0.0%)
Same OS:	11 (37.9%)

From:

wasti dot redl at gmx dot net

Assigned:

Status:

Open

Package:

PDO related

PHP Version:

5.1.4

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	wasti dot redl at gmx dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-07-24 17:49 UTC] wasti dot redl at gmx dot net

Description:
------------
It would be nice if PDO supported a quoteIdentifier() method like PEAR::MDB2 does, that quotes strings according to identifier rules of the DBMS. In other words, I need to use arbitrary strings as field or table names in a query and would like a DBMS-independent way of quoting them.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-08-02 16:01 UTC] jo at feuersee dot de

I agree that the current PDO implementation lacks a portable way to quote SQL identifiers like table or field names. 
Some people will argue that in most cases it's better to avoid quote identifiers at all, and I agree. But every database has it's own list of reserved words which can't be used as a field or table name unless quoted. As it is hardly possible to avoid all reserved words from all databases (to improve portability between database backends), implementing such a method in PDO would be a big help.

Alternative suggestion: instead of adding a new method quoteIdentifier() extend PDO::quote() method to accept a new const PDO::PARAM_IDENTIFIER which works as follows:

$sql = sprintf("SELECT %s FROM %s",
    $pdo->quote('field', PDO::PARAM_IDENTIFIER),
    $pdo->quote('table', PDO::PARAM_IDENTIFIER)
);

$sql would then be 
for MySQL backend: 
SELECT `field` FROM `table`

for SQLite:
SELECT 'field' FROM 'table'

[2010-08-27 06:01 UTC] aharvey@php.net

-Package: Feature/Change Request +Package: PDO related

[2010-10-02 10:39 UTC] + at ni-poc dot com

This would be especially handy if you try to extend PDO to allow extended placeholder syntax. In that case you normally simply imply that ` is used as field quote and thus defeat the purpose of using PDO - it isn't cross-DB-compatible anymore.

[2013-09-25 22:12 UTC] aharvey@php.net

Related To: Bug #65757

[2014-10-08 00:01 UTC] cmanley at xs4all dot nl

Hopefully this important (IMHO) feature will be added before we end up in a geriatric ward.
It has only been 8 years so far.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2020 The PHP Group All rights reserved.	Last updated: Wed Jan 29 14:01:24 2020 UTC