#48290 [WFx]: auto escape for variables in double quoted sql string

rasmus Wed, 18 Nov 2009 23:12:48 -0800

 ID:               48290
 Updated by:       [email protected]
 Reported By:      kexianbin at diyism dot com
 Status:           Wont fix
 Bug Type:         Feature/Change Request
 Operating System: Irrelevant
 PHP Version:      5.3.2
 New Comment:


We did get rid of it.


Previous Comments:
------------------------------------------------------------------------

[2009-11-19 07:12:06] kexianbin at diyism dot com

For matching preciseness,
we could only support the format: "...{#BatchId}...",
not to support this format: "...#BatchId...".

------------------------------------------------------------------------

[2009-11-19 07:07:51] kexianbin at diyism dot com

Rasmus,

We really should to get rid of sql string auto escape in data of POST,
GET, COOKIE etc,
instead, we put off the sql string auto escape right before the sql
string to be executed.

------------------------------------------------------------------------

[2009-11-11 01:52:04] kexianbin at diyism dot com

Derick,

The problem is right in prepared statements:
$sql=$pdo->prepare("select *
                    from sem_SearchChangeShow
                    where Keyword=:Keyword
                          and BatchNum=:BatchNum
                          and OldChannelID=:ApvChannelID_old
                          and OldCategoryID=:ApvCategoryID_old
                  ");
$sql->execute(array(':Keyword'=>$Keyword,
                    ':BatchNum'=>$BatchNum,
                    ':ApvChannelID_old'=>$ApvChannelID_old,
                    ':ApvCategoryID_old'=>$ApvCategoryID_old
                   )
             );
$data=$sql->fetch(PDO::FETCH_ASSOC);

We need not preparation similar to other languages,
we need immediate escape and parse for varialbles in query strings:
$rs=$pdo->query("select *
                 from sem_SearchChangeShow
                 where Keyword={#Keyword}
                       and BatchNum={#BatchNum}
                       and OldChannelID={#ApvChannelID_old}
                       and OldCategoryID={#ApvCategoryID_old}
               ");
$data=$rs->fetch(PDO::FETCH_ASSOC);

------------------------------------------------------------------------

[2009-11-10 10:21:09] [email protected]

Stop spamming this bug system, you use prepared statements in this
case.

------------------------------------------------------------------------

[2009-11-10 09:54:32] kexianbin at diyism dot com

auto escape for variables in double quoted sql string

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/48290

-- 
Edit this bug report at http://bugs.php.net/?id=48290&edit=1

#48290 [WFx]: auto escape for variables in double quoted sql string

Reply via email to