Zend Framework

Zend_Db_Statement->_stripQuoted() does not escape strings in regular expressions

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Blocker Blocker
  • Resolution: Won't Fix
  • Affects Version/s: 1.0.0, 1.0.1
  • Fix Version/s: 1.5.0
  • Component/s: Zend_Db
  • Labels:
    None

Description

When using reserved characters like [ and ], the regular expressions in the protected function Zend_Db_Statement->_stripQuoted() throw an exception/error. This is because the strings should be quoted like that:

$q = preg_quote($q);
$qe = preg_quote($qe);
$d = preg_quote($d);
$de = preg_quote($de);

I noticed this problem while using MS-SQL Server (odbtp). Of course, you can set QUOTED_IDENTIFIER to ON and use double quotes instead of brackets (as described in related tickets):

http://msdn2.microsoft.com/en-us/library/aa224033(SQL.80).aspx

This however doesn't change the fact, that chars inserted into a regular expression should be escaped. Delimiters in brackets can always be used, regardless of the setting of QUOTED_IDENTIFIER.

Just an idea, but isn't there an easier way of getting the escape characters from the database adapter? Functions like getIdentifierQuoteStartChar(), getIdentifierQuoteEndChar(), getQuoteStartChar() and getQuoteEndChar()? I would even recommend using public class constants for this purpose.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Darby Felton added a comment -

Assigning to Bill Karwin to initiate issue review. Is this issue really a blocker?

Show
Darby Felton added a comment - Assigning to Bill Karwin to initiate issue review. Is this issue really a blocker?
Hide
Permalink
Bill Karwin added a comment -

Don't use brackets as identifier delimiters. This is not standard SQL, it's bogus Microsoft syntax. The Zend_Db_Adapter_Pdo_Mssql class always executes "SET QUOTED_IDENTIFIER ON" after connecting, to encourage usage of standard SQL syntax.

I don't think we should add methods to the Db Adapter interface to support non-standard syntax used by a single vendor. The better solution is to use the standard SQL identifier delimiter, which is the double-quote (") and is the same for begin and end of a delimited identifier.

Show
Bill Karwin added a comment - Don't use brackets as identifier delimiters. This is not standard SQL, it's bogus Microsoft syntax. The Zend_Db_Adapter_Pdo_Mssql class always executes "SET QUOTED_IDENTIFIER ON" after connecting, to encourage usage of standard SQL syntax. I don't think we should add methods to the Db Adapter interface to support non-standard syntax used by a single vendor. The better solution is to use the standard SQL identifier delimiter, which is the double-quote (") and is the same for begin and end of a delimited identifier.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.