#48290 [WFx]: auto escape for variables in double quoted sql string

kexianbin at diyism dot com Wed, 18 Nov 2009 23:08:01 -0800

 ID:               48290
 User updated by:  kexianbin at diyism dot com
 Reported By:      kexianbin at diyism dot com
 Status:           Wont fix
 Bug Type:         Feature/Change Request
 Operating System: Irrelevant
 PHP Version:      5.3.2
 New Comment:


Rasmus,

We really should to get rid of sql string auto escape in data of POST,
GET, COOKIE etc,
instead, we put off the sql string auto escape right before the sql
string to be executed.


Previous Comments:
------------------------------------------------------------------------

[2009-11-11 01:52:04] kexianbin at diyism dot com

Derick,

The problem is right in prepared statements:
$sql=$pdo->prepare("select *
                    from sem_SearchChangeShow
                    where Keyword=:Keyword
                          and BatchNum=:BatchNum
                          and OldChannelID=:ApvChannelID_old
                          and OldCategoryID=:ApvCategoryID_old
                  ");
$sql->execute(array(':Keyword'=>$Keyword,
                    ':BatchNum'=>$BatchNum,
                    ':ApvChannelID_old'=>$ApvChannelID_old,
                    ':ApvCategoryID_old'=>$ApvCategoryID_old
                   )
             );
$data=$sql->fetch(PDO::FETCH_ASSOC);

We need not preparation similar to other languages,
we need immediate escape and parse for varialbles in query strings:
$rs=$pdo->query("select *
                 from sem_SearchChangeShow
                 where Keyword={#Keyword}
                       and BatchNum={#BatchNum}
                       and OldChannelID={#ApvChannelID_old}
                       and OldCategoryID={#ApvCategoryID_old}
               ");
$data=$rs->fetch(PDO::FETCH_ASSOC);

------------------------------------------------------------------------

[2009-11-10 10:21:09] [email protected]

Stop spamming this bug system, you use prepared statements in this
case.

------------------------------------------------------------------------

[2009-11-10 09:54:32] kexianbin at diyism dot com

auto escape for variables in double quoted sql string

------------------------------------------------------------------------

[2009-11-10 09:53:42] kexianbin at diyism dot com

Changed the title to "auto escape for variables in double quotes sql
string".

------------------------------------------------------------------------

[2009-11-10 09:51:53] kexianbin at diyism dot com

Changed the title.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/48290

-- 
Edit this bug report at http://bugs.php.net/?id=48290&edit=1

#48290 [WFx]: auto escape for variables in double quoted sql string

Reply via email to