php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59717 driver quotes " in string
Submitted: 2011-04-17 14:44 UTC Modified: 2011-09-02 04:58 UTC
From: gawain at camlann dot de Assigned:
Status: Closed Package: PDO_IBM (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2011-04-17 14:44 UTC] gawain at camlann dot de 
Description:
------------
While trying to delete some rows with ZF i noticed, that the rows did not get deleted. The Sql is this

DELETE FROM EVENTQUEUE_EVENTS WHERE (time = '2011-04-18 20:20:03.000000') AND (callback_class = 'DomainModel_AccountCallback') AND (callback_method = 'handleDeletionCallback') AND (callback_params = 'a:1:{s:8:\"username\";s:9:\"Gawalione\";}')

The Sql is build using the ZF quoteInto() which in turn uses PDO::quote() to do the job. As you can see in the above statement, the PDO::quote() returns the value for callback_params enclosed in ' but also quotes " as \". This causes db2 to not find any matching rows and therefore it does nothing...

Reproduce code:
---------------
$table->getAdapter()->quoteInto('callback_params = ?', serialize(array('username'=>'Gawalione')));

Expected result:
----------------
callback_params = 'a:1:{s:8:"username";s:9:"Gawalione";}'

Actual result:
--------------
callback_params = 'a:1:{s:8:\"username\";s:9:\"Gawalione\";}'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-19 03:22 UTC] abhargav at in dot ibm dot com 
Hi,

I have made the changes are per the PDO specs (http://in.php.net/manual/en/pdo.quote.php). Please find the following patch for ibm_driver.c (v1.3.2 of PDO_IBM extension). 

--- PATCH STARTS ---
632,647d631
< 			case '\n':
< 				sql[j++] = '\\';
< 				sql[j++] = 'n';
< 				break;
< 			case '\r':
< 				sql[j++] = '\\';
< 				sql[j++] = 'r';
< 				break;
< 			case '\x1a':
< 				sql[j++] = '\\';
< 				sql[j++] = 'Z';
< 				break;
< 			case '\0':
< 				sql[j++] = '\\';
< 				sql[j++] = '0';
< 				break;
649d632
< 				sql[j++] = '\\';
651,658c634
< 				break;
< 			case '\"':
< 				sql[j++] = '\\';
< 				sql[j++] = '\"';
< 				break;
< 			case '\\':
< 				sql[j++] = '\\';
< 				sql[j++] = '\\';
---
> 				sql[j++] = '\'';
--- PATCH ENDS ---

Let me know your feedback.

Regards,
Ambrish Bhargava
 [2011-04-21 12:44 UTC] gawain at camlann dot de 
Seems to work for me now. But i did not test all cases, only the one with the quoted ".
But is it a good idea not to quote \0, \r and \n ?
 [2011-09-02 04:58 UTC] abhargav at in dot ibm dot com 
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Hi,

This is fixed in SVN.

Regards,
Ambrish Bhargava
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 07:01:27 2024 UTC