ZF-2396: Zend_Db_Adapter_Pdo_Oci wrong quoting for single-quotes
Description
The _quote function in the Zend_Db_Adapter_Pdo_Oci quotes single-quotes with addcslashes. This is wrong since oracle requires a single-quote to be escaped with another single-quote and not a backslash. Please use the _quote() function from Zend_Db_Adapter_Oracle for quoting since there is it correct.
Thanks
Comments
Posted by Christian Münch (cmuench) on 2008-02-07T08:04:32.000+0000
We tested the resolution in the bug description. This fixes the broken oci adapter.
Posted by Thorsten Kunz (sunfire) on 2008-03-18T09:33:40.000+0000
I wonder why this is not fixed yet? This allows for SQL injection if people use the PDO_OCI adapter and rely on _quote() to work as advertised! The fix is so easy and already accepted in the regular Oracle adapter so please can someone commit the fix?
Posted by rodolfo (rodolfo) on 2008-07-07T11:44:22.000+0000
I have problems like this using Zend_Auth_Adapter_DbTable with Oracle Express and I created a patch to this in Zend_Db_Adapter_Pdo_Oci.
Posted by Mickael Perraud (mikaelkael) on 2008-10-04T06:51:24.000+0000
Fixed in SVN11672 (applies same quoting as Oracle adapter). Fix test failure testSelectColumnWithColonQuotedParameter.