Edit report at https://bugs.php.net/bug.php?id=62361&edit=1
ID: 62361 Comment by: a...@php.net Reported by: lgynove at 163 dot com Summary: SQLite3::escapeString Status: Open Type: Bug Package: SQLite related Operating System: windows xp PHP Version: 5.3.14 Block user comment: N Private report: N New Comment: Ok, after digging into the subject i've found sqlite3_bind_blob() here http://www.sqlite.org/c3ref/bind_blob.html . This functionality fully replaces sqlite2's sqlite_encode_binary() in sqlite3. As I can see, it's also implemented and available in PHP http://de2.php.net/manual/de/sqlite3stmt.bindparam.php . It looks pretty much like if we want to have the old behaviour, we should take encode.c from PECL. A sticky point here - I'm not sure that the encoding algorithms are equivalent in both 2 and 3. So we would need also something like ->unescapeString() to get the data back. That could be useful in some cases but anyway redundant in sqlite3. What do you think? Previous Comments: ------------------------------------------------------------------------ [2012-06-27 14:41:49] a...@php.net Ah, now I see what you mean. php_sqlite_encode_binary in the PECL code, strange it wasn't moved into sqlite3. ------------------------------------------------------------------------ [2012-06-27 13:57:55] fel...@php.net But we have implemented an auxiliar escaping routine to escape the binary ones, as pointed out by the reporter. ------------------------------------------------------------------------ [2012-06-27 13:42:50] a...@php.net That's not a php bug i'd say. We rely here on the functionality of http://www.sqlite.org/c3ref/mprintf.html using %q format option. And what their manual says --- The %q option works like %s in that it substitutes a nul-terminated string from the argument list. But %q also doubles every '\'' character. %q is designed for use inside a string literal. By doubling each '\'' character it escapes that character and allows it to be inserted into the string. --- Escaping '\'' and '\0' can be of course easily implemented. But, as sqlite3 itself has no other string formatting options, I'd really doubt the usefulness and correctness of such an implementation. Furthermore, if such a data would be selected back from the db, some code would be needed to restore all that escaped '\0' bytes and whatever else. It might make sense to use base64 or alike to insert binary data into sqlite3 i think. ------------------------------------------------------------------------ [2012-06-24 21:05:17] fel...@php.net In fact actually escapeString() method is not binary-safe. ------------------------------------------------------------------------ [2012-06-19 05:28:29] lgynove at 163 dot com Description: ------------ this bug in sqlite3,not sqlite. use picture file (*.jpg) is not work use *.txt is work ok if use sqlite function (sqlite_escape_string) is work ok! Test script: --------------- $db = new sqlite3(dirname(__FILE__) . '/test.sqlite'); $str = file_get_contents('d:/www/test.jpg'); echo strlen($str),"\n"; $str = $db->escapeString($str); echo strlen($str),"\n"; $str = file_get_contents('d:/www/test.txt'); echo strlen($str),"\n"; $str = $db->escapeString($str); echo strlen($str),"\n"; Expected result: ---------------- 5000 5000 35 35 Actual result: -------------- 5000 4 35 35 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62361&edit=1
