ZF-7911: Zend_Db_Statement::_stripQuoted seems not to be complete
While investigating http://framework.zend.com/issues/browse/ZF-5063, I noted that there were some inconsistencies in Zend_Db_Statement::_stripQuoted. I'll repeat what I've mailed to the list:
Last week we ran in an issue with a segfault caused by the preg_replace statements in Zend_Db_Statements::_stripQuoted (issues ZF-5063 and ZF-7585). While trying to find a work-around, I discovered that this function is broken. The fix for issue ZF-3025 seems to be applied wrong (r9727).
The fix for my issue could be to modify the regular expression. Instead of the repetition, my replacement relies on assertions. During initial testing (running a 1MB query) it seems that this would not rely on the stack too much, reducing the chance of a segfault. This would need to be tested further. In the patch below, I restored the original replacement of quoted identifiers that was lost in r9727.
However, there are still some issues: - In my regexp, I assume that a quote can be escaped by repeating the quote or by prefixing it with a backslash. A backslash itself can be escaped by repeating it. I'm not sure if these are safe assumptions for all RDBMS's. - The patch should be tested thoroughly, although I'm quite confident about it. - MySQL accepts both single and double quotes for values. This is not accounted for, nor was it in the old version. I'm not sure how this is for other RDBMS's. Would it be safe to strip out all quote style: single ('), double (") and backtick (`)? I could imagine that for most systems this would be OK. Individual adapters could always override the default function and provide their own.