Add PDO::quoteName() method #167
Conversation
…d MS SQL implementations
|
Are these implementations safe against charset based attacks? |
|
And I would suggest renaming the method to quoteIdentifier(). |
|
ZF 1 has its own version of this called quoteIdentifier(), be nice to keep the name the same |
|
I like the name - it's the same the Joomla platform uses :) |
|
Implementation looks good on windows. Nevertheless multibyte compatibility is also important as Johannes mentioned. |
|
It's not only multi-byte, might also bge fun like EBCDIC etc. I doubt anybody uses these things but there is a risk and there are databases supporting other charsets and anything getting into PDO core should be robust. On the other hand: Many parts (i.e. PS parameter parser) of PDO already have such assumptions builtin ... |
|
With the multibyte - there are definitely DBs in the outer world allowing multibyte chars for identifiers. May be it could be done reading internal_encoding and (if needed) iterating the string using mbstring as a dependency. Looks like that's a bit more global subject for the PDO improvement :) |
|
Proper identifier escaping should be done by database provided lib. It may be good to start from PostgreSQL, but not many DBMS provides API. |
|
We should try to add only truly robust things to core and fi issues in PDO before adding new ones. This functionality can be added to userspace libs easily. Closing for now. |
Includes MySQL, SQLite, PgSQL, Firebird, Oracle and MS SQL implementations.
This method allows creating higher level libraries building the SQL command with proper escaping of identifiers. For example
$db->select('id', 'title')->from('article')->where('id', $id).It also allows using user input for table or column names:
'SELECT * FROM t ORDER BY ' . $pdo->quoteName($_GET['order'])can cause SQL error but it couldn't cause SQL injection.