php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66495 fetchAllFiltered() method or alike for PDO
Submitted: 2014-01-16 14:40 UTC Modified: 2019-05-15 20:34 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: aniismovsa at gmail dot com Assigned:
Status: Wont fix Package: PDO related
PHP Version: 5.5.8 OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aniismovsa at gmail dot com
New email:
PHP Version: OS:

 

 [2014-01-16 14:40 UTC] aniismovsa at gmail dot com
Description:
------------
Hello. I think it would be very useful to have otput filtering built in PDO. For example if use fetchAll() I get raw data which might have XSS javascript inside. Then I have to filter it somehow e.g. htmlspecialchars. 
I think it would be great if such filtering could be done with method like fetchAllFiltered(array('number','string','html');
For example if i have a table posts and it looks like id, title, body then when calling fetchAllFiltered('number','string','html') i would get id sanitized as a number, title sanitized as a string or simply with htmlspecialchars() and a body which would get sanitized as html. e.g. no javascript inside, but all html tags present.
 Currently to filter the data coming from database usually is used filter_var or htmlspecialchars or anything else which i think is one more step in development which could be dropped using fetchAllFiltered().
 Also i think that filtering could be added in default fetch methods of PDO as an array argument which describes filtering of output for those methods. 
For example: fetchAll(array('number',string','html')); and we get the filtered output.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 14:39 UTC] narf at devilix dot net
-1 ... or rather -2

XSS (or any kind of output filtering) isn't PDO's job.
 [2017-10-24 08:29 UTC] kalle@php.net
-Package: PDO Core +Package: PDO related
 [2019-05-15 20:34 UTC] peehaa@php.net
-Status: Open +Status: Wont fix
 [2019-05-15 20:34 UTC] peehaa@php.net
Handling data in a way to prevent specific kinds of attacks should be done at the place where it is used. For the specific kinds of attacks you mentioned it makes no sense for the database layer to try (and fail to) handle this.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Aug 09 05:01:23 2020 UTC