Hello,
A client alerted be to an issue caused by emulate prepare in combination
with LIMIT clauses:
http://bugs.php.net/bug.php?id=40740
The problem is that any integer that should be inserted into a clause
like "LIMIT ?, ?" would be quoted, which MySQL (same I would assume is
the case with PostgreSQL, SQLite etc) obviously will not accept.
Here is the proposed solution:
Well there is no way to hint to MySQL if something is a string or not
using emulate_prepare. What I think could make sense is for MySQL to
look at the type though.
So that:
$foo = '1'; // quoted as a string
$foo = 1; // interpreted as an integer and therefore not quoted
This should be fine for security as well, since integers should not
cause any SQL injection issues.
Of course this would break any code where people try to insert an
integer into a string column. But I think this would be very rare and
the benefit would out weight the disadvantages.
However I would like to comment on a general issue here. This problem
has been solved by many DBAL authors in the PHP space. While the may not
be C hackers, they do know databases and the challenges in talking to
them from PHP. Please all PDO developers leverage this experience. Feel
free to talk to me .. or even better ask on
[EMAIL PROTECTED], which is where pretty much all of the
main DBAL authors in the PHP world are reading. This way we can avoid
doing some of the same issues that we have all gone through already.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
