#48290 [WFx->Opn]: auto escape for variables in double quoted sql string

kexianbin at diyism dot com Wed, 16 Dec 2009 00:53:09 -0800

 ID:               48290
 User updated by:  kexianbin at diyism dot com
 Reported By:      kexianbin at diyism dot com
-Status:           Wont fix
+Status:           Open
 Bug Type:         Feature/Change Request
 Operating System: Irrelevant
 PHP Version:      5.3.2
 New Comment:


I think to realize auto escape for double quoted strings is easier than
to inherit variables from parent scope.


Previous Comments:
------------------------------------------------------------------------

[2009-11-27 01:53:32] kexianbin at diyism dot com

Rasmus,

Another way,

similar to reserved word 'global' to inherit variables from global
scope, why can't we add a reserved word 'inherit' to inherit varialbes
from parent scope?

I think it's very useful since it's a great advantage now aday in
javascript communities.

Malcolm

------------------------------------------------------------------------

[2009-11-19 07:12:38] ras...@php.net

We did get rid of it.

------------------------------------------------------------------------

[2009-11-19 07:12:06] kexianbin at diyism dot com

For matching preciseness,
we could only support the format: "...{#BatchId}...",
not to support this format: "...#BatchId...".

------------------------------------------------------------------------

[2009-11-19 07:07:51] kexianbin at diyism dot com

Rasmus,

We really should to get rid of sql string auto escape in data of POST,
GET, COOKIE etc,
instead, we put off the sql string auto escape right before the sql
string to be executed.

------------------------------------------------------------------------

[2009-11-11 01:52:04] kexianbin at diyism dot com

Derick,

The problem is right in prepared statements:
$sql=$pdo->prepare("select *
                    from sem_SearchChangeShow
                    where Keyword=:Keyword
                          and BatchNum=:BatchNum
                          and OldChannelID=:ApvChannelID_old
                          and OldCategoryID=:ApvCategoryID_old
                  ");
$sql->execute(array(':Keyword'=>$Keyword,
                    ':BatchNum'=>$BatchNum,
                    ':ApvChannelID_old'=>$ApvChannelID_old,
                    ':ApvCategoryID_old'=>$ApvCategoryID_old
                   )
             );
$data=$sql->fetch(PDO::FETCH_ASSOC);

We need not preparation similar to other languages,
we need immediate escape and parse for varialbles in query strings:
$rs=$pdo->query("select *
                 from sem_SearchChangeShow
                 where Keyword={#Keyword}
                       and BatchNum={#BatchNum}
                       and OldChannelID={#ApvChannelID_old}
                       and OldCategoryID={#ApvCategoryID_old}
               ");
$data=$rs->fetch(PDO::FETCH_ASSOC);

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/48290

-- 
Edit this bug report at http://bugs.php.net/?id=48290&edit=1

#48290 [WFx->Opn]: auto escape for variables in double quoted sql string

Reply via email to