ZF-1984: Zend_Db_Statement->_stripQuoted() does not escape strings in regular expressions

Issue Type: Bug Created: 2007-09-24T07:04:16.000+0000 Last Updated: 2008-03-21T16:25:22.000+0000 Status: Resolved Fix version(s): - 1.5.0 (17/Mar/08)

Reporter: Michael Mayer (michaelm) Assignee: Bill Karwin (bkarwin) Tags: - Zend_Db

Related issues: Attachments:


When using reserved characters like [ and ], the regular expressions in the protected function Zend_Db_Statement->_stripQuoted() throw an exception/error. This is because the strings should be quoted like that:

$q = preg_quote($q); $qe = preg_quote($qe); $d = preg_quote($d); $de = preg_quote($de);

I noticed this problem while using MS-SQL Server (odbtp). Of course, you can set QUOTED_IDENTIFIER to ON and use double quotes instead of brackets (as described in related tickets):

This however doesn't change the fact, that chars inserted into a regular expression should be escaped. Delimiters in brackets can always be used, regardless of the setting of QUOTED_IDENTIFIER.

Just an idea, but isn't there an easier way of getting the escape characters from the database adapter? Functions like getIdentifierQuoteStartChar(), getIdentifierQuoteEndChar(), getQuoteStartChar() and getQuoteEndChar()? I would even recommend using public class constants for this purpose.


Posted by Darby Felton (darby) on 2007-09-26T14:55:37.000+0000

Assigning to [~bkarwin] to initiate issue review. Is this issue really a blocker?

Posted by Bill Karwin (bkarwin) on 2007-10-01T20:38:41.000+0000

Don't use brackets as identifier delimiters. This is not standard SQL, it's bogus Microsoft syntax. The Zend_Db_Adapter_Pdo_Mssql class always executes "SET QUOTED_IDENTIFIER ON" after connecting, to encourage usage of standard SQL syntax.

I don't think we should add methods to the Db Adapter interface to support non-standard syntax used by a single vendor. The better solution is to use the standard SQL identifier delimiter, which is the double-quote (") and is the same for begin and end of a delimited identifier.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.