|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #38196 quoteIdentifier() in PDO
Submitted: 2006-07-24 17:49 UTC Modified: 2021-07-16 14:18 UTC
Avg. Score:4.6 ± 0.6
Reproduced:31 of 31 (100.0%)
Same Version:0 (0.0%)
Same OS:11 (35.5%)
From: wasti dot redl at gmx dot net Assigned:
Status: Suspended Package: PDO related
PHP Version: 5.1.4 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: wasti dot redl at gmx dot net
New email:
PHP Version: OS:


 [2006-07-24 17:49 UTC] wasti dot redl at gmx dot net
It would be nice if PDO supported a quoteIdentifier() method like PEAR::MDB2 does, that quotes strings according to identifier rules of the DBMS. In other words, I need to use arbitrary strings as field or table names in a query and would like a DBMS-independent way of quoting them.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-02 16:01 UTC] jo at feuersee dot de
I agree that the current PDO implementation lacks a portable way to quote SQL identifiers like table or field names. 
Some people will argue that in most cases it's better to avoid quote identifiers at all, and I agree. But every database has it's own list of reserved words which can't be used as a field or table name unless quoted. As it is hardly possible to avoid all reserved words from all databases (to improve portability between database backends), implementing such a method in PDO would be a big help.

Alternative suggestion: instead of adding a new method quoteIdentifier() extend PDO::quote() method to accept a new const PDO::PARAM_IDENTIFIER which works as follows:

$sql = sprintf("SELECT %s FROM %s",
    $pdo->quote('field', PDO::PARAM_IDENTIFIER),
    $pdo->quote('table', PDO::PARAM_IDENTIFIER)

$sql would then be 
for MySQL backend: 
SELECT `field` FROM `table`

for SQLite:
SELECT 'field' FROM 'table'
 [2010-08-27 06:01 UTC]
-Package: Feature/Change Request +Package: PDO related
 [2010-10-02 10:39 UTC] + at ni-poc dot com
This would be especially handy if you try to extend PDO to allow extended placeholder syntax. In that case you normally simply imply that ` is used as field quote and thus defeat the purpose of using PDO - it isn't cross-DB-compatible anymore.
 [2014-10-08 00:01 UTC] cmanley at xs4all dot nl
Hopefully this important (IMHO) feature will be added before we end up in a geriatric ward.
It has only been 8 years so far.
 [2021-03-02 12:51 UTC] divinity76+spam at gmail dot com
i too want a PDO::quoteIdentifier.

it's been 10.5 years and counting..
 [2021-07-16 14:18 UTC]
-Status: Open +Status: Suspended
 [2021-07-16 14:18 UTC]
This requires someone to go through the RFC process[1].  For the
time being, I suspend this ticket.

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 12:01:34 2024 UTC