#48290 [WFx]: auto escape for variables in double quoted sql string

kexianbin at diyism dot com Tue, 10 Nov 2009 17:52:19 -0800

 ID:               48290
 User updated by:  kexianbin at diyism dot com
 Reported By:      kexianbin at diyism dot com
 Status:           Wont fix
 Bug Type:         Feature/Change Request
 Operating System: Irrelevant
 PHP Version:      5.3.2
 New Comment:


Derick,

The problem is right in prepared statements:
$sql=$pdo->prepare("select *
                    from sem_SearchChangeShow
                    where Keyword=:Keyword
                          and BatchNum=:BatchNum
                          and OldChannelID=:ApvChannelID_old
                          and OldCategoryID=:ApvCategoryID_old
                  ");
$sql->execute(array(':Keyword'=>$Keyword,
                    ':BatchNum'=>$BatchNum,
                    ':ApvChannelID_old'=>$ApvChannelID_old,
                    ':ApvCategoryID_old'=>$ApvCategoryID_old
                   )
             );
$data=$sql->fetch(PDO::FETCH_ASSOC);

We need not preparation similar to other languages,
we need immediate escape and parse for varialbles in query strings:
$rs=$pdo->query("select *
                 from sem_SearchChangeShow
                 where Keyword={#Keyword}
                       and BatchNum={#BatchNum}
                       and OldChannelID={#ApvChannelID_old}
                       and OldCategoryID={#ApvCategoryID_old}
               ");
$data=$rs->fetch(PDO::FETCH_ASSOC);


Previous Comments:
------------------------------------------------------------------------

[2009-11-10 10:21:09] [email protected]

Stop spamming this bug system, you use prepared statements in this
case.

------------------------------------------------------------------------

[2009-11-10 09:54:32] kexianbin at diyism dot com

auto escape for variables in double quoted sql string

------------------------------------------------------------------------

[2009-11-10 09:53:42] kexianbin at diyism dot com

Changed the title to "auto escape for variables in double quotes sql
string".

------------------------------------------------------------------------

[2009-11-10 09:51:53] kexianbin at diyism dot com

Changed the title.

------------------------------------------------------------------------

[2009-11-10 09:39:51] kexianbin at diyism dot com

Must have a solution in the world.

If we can't build the auto escape for double quotes sql string,
we can build get_caller_vars to realize the simpler auto escape of
double quotes sql string.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/48290

-- 
Edit this bug report at http://bugs.php.net/?id=48290&edit=1

#48290 [WFx]: auto escape for variables in double quoted sql string

Reply via email to