php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68856 add arg to odbc_execute() so values not treated as filenames
Submitted: 2015-01-19 13:04 UTC Modified: -
From: j dot faithw at yahoo dot com Assigned:
Status: Open Package: ODBC related
PHP Version: 5.6.4 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-01-19 13:04 UTC] j dot faithw at yahoo dot com
Description:
------------
currently odbc_execute is declared as:-
  bool odbc_execute ( resource $result_id [, array $parameters_array ] )

But parameters_array has a quirk i.e:-
    Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

I suggest that an additional argument be added i.e.
  bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] )

By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename.

This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.



Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 26 01:01:25 2019 UTC