go to bug id or search bugs for
currently odbc_execute is declared as:-
bool odbc_execute ( resource $result_id [, array $parameters_array ] )
But parameters_array has a quirk i.e:-
Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.
I suggest that an additional argument be added i.e.
bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] )
By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename.
This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.
Add a Patch
Add a Pull Request