ZF-2396: Zend_Db_Adapter_Pdo_Oci wrong quoting for single-quotes


The _quote function in the Zend_Db_Adapter_Pdo_Oci quotes single-quotes with addcslashes. This is wrong since oracle requires a single-quote to be escaped with another single-quote and not a backslash. Please use the _quote() function from Zend_Db_Adapter_Oracle for quoting since there is it correct.



We tested the resolution in the bug description. This fixes the broken oci adapter.

I wonder why this is not fixed yet? This allows for SQL injection if people use the PDO_OCI adapter and rely on _quote() to work as advertised! The fix is so easy and already accepted in the regular Oracle adapter so please can someone commit the fix?

I have problems like this using Zend_Auth_Adapter_DbTable with Oracle Express and I created a patch to this in Zend_Db_Adapter_Pdo_Oci.

Fixed in SVN11672 (applies same quoting as Oracle adapter). Fix test failure testSelectColumnWithColonQuotedParameter.