Edit report at https://bugs.php.net/bug.php?id=62361&edit=1
ID: 62361 Comment by: daniel dot kinzler at wikimedia dot de Reported by: lgynove at 163 dot com Summary: SQLite3::escapeString Status: Analyzed Type: Bug Package: SQLite related Operating System: windows xp PHP Version: 5.3.14 Block user comment: N Private report: N New Comment: The same problem exists with the SQLite driver for PDO, see bug 63419 Previous Comments: ------------------------------------------------------------------------ [2012-06-27 16:44:54] a...@php.net Ok, after digging into the subject i've found sqlite3_bind_blob() here http://www.sqlite.org/c3ref/bind_blob.html . This functionality fully replaces sqlite2's sqlite_encode_binary() in sqlite3. As I can see, it's also implemented and available in PHP http://de2.php.net/manual/de/sqlite3stmt.bindparam.php . It looks pretty much like if we want to have the old behaviour, we should take encode.c from PECL. A sticky point here - I'm not sure that the encoding algorithms are equivalent in both 2 and 3. So we would need also something like ->unescapeString() to get the data back. That could be useful in some cases but anyway redundant in sqlite3. What do you think? ------------------------------------------------------------------------ [2012-06-27 14:41:49] a...@php.net Ah, now I see what you mean. php_sqlite_encode_binary in the PECL code, strange it wasn't moved into sqlite3. ------------------------------------------------------------------------ [2012-06-27 13:57:55] fel...@php.net But we have implemented an auxiliar escaping routine to escape the binary ones, as pointed out by the reporter. ------------------------------------------------------------------------ [2012-06-27 13:42:50] a...@php.net That's not a php bug i'd say. We rely here on the functionality of http://www.sqlite.org/c3ref/mprintf.html using %q format option. And what their manual says --- The %q option works like %s in that it substitutes a nul-terminated string from the argument list. But %q also doubles every '\'' character. %q is designed for use inside a string literal. By doubling each '\'' character it escapes that character and allows it to be inserted into the string. --- Escaping '\'' and '\0' can be of course easily implemented. But, as sqlite3 itself has no other string formatting options, I'd really doubt the usefulness and correctness of such an implementation. Furthermore, if such a data would be selected back from the db, some code would be needed to restore all that escaped '\0' bytes and whatever else. It might make sense to use base64 or alike to insert binary data into sqlite3 i think. ------------------------------------------------------------------------ [2012-06-24 21:05:17] fel...@php.net In fact actually escapeString() method is not binary-safe. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62361 -- Edit this bug report at https://bugs.php.net/bug.php?id=62361&edit=1
