Zend Framework

Quote SQL identifiers

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 0.1.3, 0.1.4, 0.1.5
  • Fix Version/s: 0.9.0
  • Component/s: Zend_Db_Table
  • Labels:
    None

Description

(copied from TRAC #9 - reported by gwaihir gw h r.n t)

For you guys to ponder: the Zend framework doesn't currently quote the column names in its (My)SQL queries. This gives issues when using "special" characters in those names and thus I found myself haphazardly adding them: From: Zend/Db/Select.php

public function __toString()
    {
        //unchanged parts
 
        // add columns
        /** WH: Updated to quote column names in back-ticks (`). Needed for '-' in a column name.
         * Note that I am not sure how databases other than MySQL respond to those back-ticks.
         * Note also how - probably inefficiently - the select is for all columns by name, rather than *.
         * @todo: find a way to do this without altering the library code.
         */
        if ($this->_parts['cols']) {
            $sql .= '`'. implode("`,\n\t`", $this->_parts['cols']) . "`\n";
        }
 
        //more unchanged parts
    }

If this affects other database systems differently than MySQL, then I dunno how / where this had best be done. If it doesn't hurt any of them, then please implement right away. I'm very exited about this development. PHP really lacks a "master" framework (like Ruby's Rails or some of Java's frameworks). I think the future success of the language rides on it (now that PHP5 already covers most other wishes). With kind regards, Wim Heemskerk

Issue Links

This issue is duplicated by:
ZF-27 the Zend framework doesn't currently quote the column names in it's (My)SQL queries (TRAC#9) Minor Resolved

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Crowd Administrator added a comment -

Previous change history from TRAC:


05/05/06 19:43:49: Modified by gavin

Also, the same problem arises in MySQL when column names use reserved words (e.g. timestamp).

Right or wrong, phpMyAdmin permits this, and some people do this.

06/03/06 04:36:47: Modified by mike

See also #92, issue is not limited to MySQL.

06/06/06 08:00:31: Modified by tony at sealedenvelope.com

The same issue also applies to using reserved words (e.g. 'group') as table names in MySQL. Line 80 of Db/Adaptor/Pdo/Mysql.php should be changed from:

$sql = "DESCRIBE $table";

to:

$sql = "DESCRIBE `$table`";
Show
Crowd Administrator added a comment - Previous change history from TRAC:05/05/06 19:43:49: Modified by gavin Also, the same problem arises in MySQL when column names use reserved words (e.g. timestamp). Right or wrong, phpMyAdmin permits this, and some people do this. — 06/03/06 04:36:47: Modified by mike See also #92, issue is not limited to MySQL. — 06/06/06 08:00:31: Modified by tony at sealedenvelope.com The same issue also applies to using reserved words (e.g. 'group') as table names in MySQL. Line 80 of Db/Adaptor/Pdo/Mysql.php should be changed from: 
$sql = "DESCRIBE $table";
to: 
$sql = "DESCRIBE `$table`";
Hide
Permalink
Tim Steiner added a comment -

A more portable solution would be to use the adapter's quoteIdentifier method to quote column and table names:

public function __toString()

...

$cols = $this->_parts['cols'];
foreach($cols as $col_key => $col_val) {
    $cols[$col_key] = $this->_adapter->quoteIdentifier($col_val);
}

...
Show
Tim Steiner added a comment - A more portable solution would be to use the adapter's quoteIdentifier method to quote column and table names: 
public function __toString()

...

$cols = $this->_parts['cols'];
foreach($cols as $col_key => $col_val) {
    $cols[$col_key] = $this->_adapter->quoteIdentifier($col_val);
}

...
Hide
Permalink
Bill Karwin added a comment -

Changing fix version to 0.8.0.

Show
Bill Karwin added a comment - Changing fix version to 0.8.0.
Hide
Permalink
Bill Karwin added a comment -

Rewording summary.

Show
Bill Karwin added a comment - Rewording summary.
Hide
Permalink
Bill Karwin added a comment -

Recategorize as Zend_Db_Table component.

Show
Bill Karwin added a comment - Recategorize as Zend_Db_Table component.
Hide
Permalink
Bill Karwin added a comment -

As of revision 3897, all SQL generated by Zend_Db classes should quote identifiers.

You can use a Zend_Db_Expr to override an identifier if you don't want it quoted.

Show
Bill Karwin added a comment - As of revision 3897, all SQL generated by Zend_Db classes should quote identifiers. You can use a Zend_Db_Expr to override an identifier if you don't want it quoted.

People

Vote (2)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.