ZF-53: quote() quotes numeric values inappropriately.

Issue Type: Bug Created: 2006-06-20T01:06:10.000+0000 Last Updated: 2007-07-05T14:43:08.000+0000 Status: Resolved Fix version(s): - 0.8.0 (21/Feb/07)

Reporter: Zend Framework (zend_framework) Assignee: Bill Karwin (bkarwin) Tags: - Zend_Db

Related issues: Attachments:


I notice the quote() method quotes even numeric values which is not necessary.

Its strange this problem is manifest only with scalars. With an array as an argument, it works as expected: quote( '123' ); RESULT: '123'

quote( array( '1', 2, 3, 'a', 'b' )); RESULT: 1, 2, 3, 'a', 'b'

the problem is only with the quote(numeric-scalar). Doing an is_numeric() validation in the quote() method should do the trick.


Posted by Zend Framework (zend_framework) on 2006-06-20T01:06:29.000+0000

05/22/06 11:52:28: Modified by jayson

* component changed from Documentation to Zend_Db.

05/22/06 15:50:20: Modified by

For the PDO drivers, if this is a bug, then it is in PDO rather than in the framework code.

Zend_Db_Adapter_Pdo_Abstract::quote() calls the PDO drivers quote() function to do the work. clearly shows that it takes a string, not a mixed, so I suspect that it is by design.

Having said that, the manual page also says: "PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver." The "if required" bit makes me wonder if the PDO drivers are supposed to be cleverer than they are.

Incidentally, I'm seeing quoted numbers in all cases for PDO drivers:

<pre class="highlight">
        // test numeric
        $value = $this->_db->quote('1');
        $this->assertEquals("'1'", $value);

        $value = $this->_db->quote(1);
        $this->assertEquals("'1'", $value);

        $value = $this->_db->quote(array(1,'2',3));
        $this->assertEquals("'1', '2', '3'", $value);

all pass.

Posted by Gavin (gavin) on 2006-07-24T18:09:45.000+0000

Yields reasonable output, as expected according to PHP's PDO documentation:

<pre class="highlight">
$include_path = ini_get('include_path')   . PATH_SEPARATOR . "./zf/library";
ini_set('include_path',  $include_path); 

require 'zf/library/Zend/Db.php';

$adapt = Zend_Db::factory('PDO_Sqlite',array('dsnprefix'=>'sqlite','dbname'=>'foo.sq3'));

$vals = array( '1', 2, 3, 'a', 'b' );
foreach ( $vals as &$val)

    $val = $adapt->quote($val);

var_dump(implode(', ', $vals));

At some point, integers, strings, dates, and such must be converted from PHP's data types to the database's types. Usually, programmers try to minimize the number of conversions for various reasons. PDO's choice of normalizing to strings enables developers to see exactly what will be sent to the database, making it easy to test and debug.

Posted by Gavin (gavin) on 2006-07-24T18:43:09.000+0000

"PDO is deliberately somewhat type agnostic in that it prefers to represent data as strings instead of converting to integer or double types. You might wonder at this, but the reasoning is quite simple: the string type is the type that is most precise and has the largest range available in PHP; prematurely converting data into integers or doubles can lead to either truncation or rounding errors. By pulling the data out as strings, PDO gives your script control over how and when the conversion happens using the usual PHP type juggling facilities (such as casting and implicitly during mathematical operations)."

Posted by Bill Karwin (bkarwin) on 2007-02-18T15:37:12.000+0000

This actually is an issue, for example for DB2 and MySQL.

An expression like "columnName = '12'" fails on DB2 because it has no implicit way of converting a string to an integer.

This is also an issue on MySQL, because a comparison of an integer column to a string spoils the optimizer. It can't use an index on the column because it thinks it's comparing against an expression, not a constant of the matching type. So it results in very bad performance.

Posted by Bill Karwin (bkarwin) on 2007-02-18T15:38:18.000+0000

Fixed in revision 3520.

Posted by Bill Karwin (bkarwin) on 2007-02-18T15:43:43.000+0000

Note that I used is_int(), not is_numeric(). is_int() returns true only for actual PHP integer scalars, but is_numeric() returns true for strings that contain characters valid for a numeric value. I want strings to continue to be quoted even if they appear numeric, so that strings like '000123' where the leading zeroes are significant can be inserted (this is not an unusual case).

Posted by Bill Karwin (bkarwin) on 2007-02-18T15:52:47.000+0000

Unit tests updated in revision 3521.

Posted by Bruno CHALOPIN (bruno) on 2007-07-03T15:27:42.000+0000

Since version 1.0.0 production release, it raise un issue on MS SQL server. When inserting data in a string field, if the data is numeric, it raise un SQL error. There should have an optional boolean parameter in the quote function wich enable or not the is_numeric test.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.