Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ODBC query param preprocessing (PDO::quote() not implemented by PDO_ODBC) #202

Closed
zvizesna opened this issue Aug 20, 2018 · 0 comments
Closed

Comments

@zvizesna
Copy link

@zvizesna zvizesna commented Aug 20, 2018

Version: 2.4.6

Before executing a database query, query parameters are parsed and escaped in the method formatValue in SqlPreprocessor. If the param is of type string, it is then passed to PDO::quote().
However, according to PHP.net, PDO::quote() is not implemented by PDO_ODBC:

Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead.

As a result, queries with ? placeholders for string params are stripped off the placeholders, but the actual param values are not filled in. Therefore the preprocessed query produces an SQL syntax error.

Call stack:

PDO::quote()
Nette\Database\Connection:143 quote()
Nette\Database\SqlPreprocessor:122 formatValue()
Nette\Database\SqlPreprocessor:63 process()
Nette\Database\Connection:207 preprocess()
Nette\Database\Connection:178 query()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.