|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-11-08 21:35 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2020-11-08 21:35 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 23 22:01:31 2024 UTC |
Description: ------------ When extracting prepared statement parameters, the SQL parser doesn't take into account the dialect of the currently used database platform. Specifically, it unconditionally expects string literals to use backslash for escaping the closing delimiter (single or double quote), although it's only supported by MySQL. It causes incorrect query parsing on other platforms (e.g. PostgreSQL). In the following script, the parser interprets the combination of the backslash and the quote as part of the literal, so the following question mark gets replaced with the $1 placeholder, however, it should remain intact as part of the literal. Test script: --------------- $conn = new PDO('pgsql:...'); $sql = <<<'SQL' SELECT '\'', ?' SQL; $stmt = $conn->prepare($sql); $stmt->execute(); var_dump($stmt->fetchColumn()); Expected result: ---------------- postgres=# SELECT '\'', ?'; ?column? ---------- \', ? (1 row) Actual result: -------------- \', $1