|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66495 fetchAllFiltered() method or alike for PDO
Submitted: 2014-01-16 14:40 UTC Modified: 2019-05-15 20:34 UTC
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: aniismovsa at gmail dot com Assigned:
Status: Wont fix Package: PDO related
PHP Version: 5.5.8 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
31 + 13 = ?
Subscribe to this entry?

 [2014-01-16 14:40 UTC] aniismovsa at gmail dot com
Hello. I think it would be very useful to have otput filtering built in PDO. For example if use fetchAll() I get raw data which might have XSS javascript inside. Then I have to filter it somehow e.g. htmlspecialchars. 
I think it would be great if such filtering could be done with method like fetchAllFiltered(array('number','string','html');
For example if i have a table posts and it looks like id, title, body then when calling fetchAllFiltered('number','string','html') i would get id sanitized as a number, title sanitized as a string or simply with htmlspecialchars() and a body which would get sanitized as html. e.g. no javascript inside, but all html tags present.
 Currently to filter the data coming from database usually is used filter_var or htmlspecialchars or anything else which i think is one more step in development which could be dropped using fetchAllFiltered().
 Also i think that filtering could be added in default fetch methods of PDO as an array argument which describes filtering of output for those methods. 
For example: fetchAll(array('number',string','html')); and we get the filtered output.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 14:39 UTC] narf at devilix dot net
-1 ... or rather -2

XSS (or any kind of output filtering) isn't PDO's job.
 [2017-10-24 08:29 UTC]
-Package: PDO Core +Package: PDO related
 [2019-05-15 20:34 UTC]
-Status: Open +Status: Wont fix
 [2019-05-15 20:34 UTC]
Handling data in a way to prevent specific kinds of attacks should be done at the place where it is used. For the specific kinds of attacks you mentioned it makes no sense for the database layer to try (and fail to) handle this.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 02:01:26 2020 UTC