Includes MySQL, SQLite, PgSQL, Firebird, Oracle and MS SQL implementations.
This method allows creating higher level libraries building the SQL command with proper escaping of identifiers. For example $db->select('id', 'title')->from('article')->where('id', $id).
$db->select('id', 'title')->from('article')->where('id', $id)
It also allows using user input for table or column names: 'SELECT * FROM t ORDER BY ' . $pdo->quoteName($_GET['order']) can cause SQL error but it couldn't cause SQL injection.
'SELECT * FROM t ORDER BY ' . $pdo->quoteName($_GET['order'])
Add quoteName() method with MySQL, SQLite, PgSQL, Firebird, Oracle an…
…d MS SQL implementations
This pull request fails (merged b417336 into b2a74b5).
Are these implementations safe against charset based attacks?
@nikic doesn’t look like it is, as it doesn’t use DBMS specific name quoting functions but I’m not that sure there are any. @vrana I would like to see this improvement in PDO, as it helps DBAL implementations. Could you add tests for the other RDBMS as well?
And I would suggest renaming the method to quoteIdentifier().
ZF 1 has its own version of this called quoteIdentifier(), be nice to keep the name the same
I like the name - it's the same the Joomla platform uses :)
By convention we return NULL if prameter parsing fails, see note on http://php.net/functions.internal I haven't checked PDO though.
Changes to the PDO need a new API number in PDO.
Many of these implementations seem to assume ASCII-compatile encodings. This might not always be the case.
Implementation looks good on windows. Nevertheless multibyte compatibility is also important as Johannes mentioned.
@johannes @weltling can you add something definitive about multibyte support?
It's not only multi-byte, might also bge fun like EBCDIC etc. I doubt anybody uses these things but there is a risk and there are databases supporting other charsets and anything getting into PDO core should be robust. On the other hand: Many parts (i.e. PS parameter parser) of PDO already have such assumptions builtin ...
With the multibyte - there are definitely DBs in the outer world allowing multibyte chars for identifiers. May be it could be done reading internal_encoding and (if needed) iterating the string using mbstring as a dependency. Looks like that's a bit more global subject for the PDO improvement :)
Proper identifier escaping should be done by database provided lib.
PostgreSQL provides PQescapeIdentifier() for this.
It may be good to start from PostgreSQL, but not many DBMS provides API.
We should try to add only truly robust things to core and fi issues in PDO before adding new ones. This functionality can be added to userspace libs easily. Closing for now.