php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81053 PDO quote method gives invalid result with single quotes inside string
Submitted: 2021-05-19 14:42 UTC Modified: 2021-05-21 14:15 UTC
From: madis at creditinfo dot ee Assigned:
Status: Open Package: PDO_INFORMIX (PECL)
PHP Version: 8.0.6 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: madis at creditinfo dot ee
New email:
PHP Version: OS:

 

 [2021-05-19 14:42 UTC] madis at creditinfo dot ee
Description:
------------
The PDO quote method for Informix escapes single quotes inside string with a backslash which is invalid. A single quote should be escaped with another single quote ('TEST\'N%' is incorrect and breaks the query while 'TEST''N%' works).

Test script:
---------------
$pdo = new PDO();
$string = "TEST'N";
$search_string = $pdo->quote($string . "%");
$sql = "SELECT * FROM companies WHERE UPPER(name) LIKE $search_string LIMIT 1";
$query = $pdo->prepare($sql);
$query->execute();
$result = $query->fetchAll(PDO::FETCH_ASSOC);
print_r($result);

Expected result:
----------------
No errors

Actual result:
--------------
Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: -11060 [Informix][Informix ODBC Driver]General error.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-21 14:15 UTC] cmb@php.net
I don't know about INFORMIX, but that escaping[1] looks like MySQL
escaping.

[1] <https://github.com/php/pecl-database-pdo_informix/blob/6e0f91d271f04e46512b1c2ebaf3ba496fff7a36/informix_driver.c#L460-L492>
 [2021-06-04 09:15 UTC] madis at creditinfo dot ee
When stumbling on the problem I did some research and found information on https://www.ibm.com/docs/en/informix-servers/14.10?topic=statements-quotation-marks-escape-characters, but overall I haven't dived into this enough to determine if escaping everything else works properly.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 01:01:27 2024 UTC