|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66495 fetchAllFiltered() method or alike for PDO
Submitted: 2014-01-16 14:40 UTC Modified: 2019-05-15 20:34 UTC
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: aniismovsa at gmail dot com Assigned:
Status: Wont fix Package: PDO related
PHP Version: 5.5.8 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: aniismovsa at gmail dot com
New email:
PHP Version: OS:


 [2014-01-16 14:40 UTC] aniismovsa at gmail dot com
Hello. I think it would be very useful to have otput filtering built in PDO. For example if use fetchAll() I get raw data which might have XSS javascript inside. Then I have to filter it somehow e.g. htmlspecialchars. 
I think it would be great if such filtering could be done with method like fetchAllFiltered(array('number','string','html');
For example if i have a table posts and it looks like id, title, body then when calling fetchAllFiltered('number','string','html') i would get id sanitized as a number, title sanitized as a string or simply with htmlspecialchars() and a body which would get sanitized as html. e.g. no javascript inside, but all html tags present.
 Currently to filter the data coming from database usually is used filter_var or htmlspecialchars or anything else which i think is one more step in development which could be dropped using fetchAllFiltered().
 Also i think that filtering could be added in default fetch methods of PDO as an array argument which describes filtering of output for those methods. 
For example: fetchAll(array('number',string','html')); and we get the filtered output.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 14:39 UTC] narf at devilix dot net
-1 ... or rather -2

XSS (or any kind of output filtering) isn't PDO's job.
 [2017-10-24 08:29 UTC]
-Package: PDO Core +Package: PDO related
 [2019-05-15 20:34 UTC]
-Status: Open +Status: Wont fix
 [2019-05-15 20:34 UTC]
Handling data in a way to prevent specific kinds of attacks should be done at the place where it is used. For the specific kinds of attacks you mentioned it makes no sense for the database layer to try (and fail to) handle this.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 07:01:31 2024 UTC