Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29753 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92682 invoked by uid 1010); 25 May 2007 13:12:54 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 92662 invoked from network); 25 May 2007 13:12:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 May 2007 13:12:54 -0000 Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 212.112.227.169 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 212.112.227.169 ipx11223.ipxserver.de Linux 2.5 (sometimes 2.4) (4) Received: from [212.112.227.169] ([212.112.227.169:33180] helo=ipx11223.ipxserver.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/D4-52614-2D0E6564 for ; Fri, 25 May 2007 09:12:52 -0400 Received: from localhost (localhost [127.0.0.1]) by ipx11223.ipxserver.de (Postfix) with ESMTP id A617ADF0043 for ; Fri, 25 May 2007 15:12:46 +0200 (CEST) Received: from ipx11223.ipxserver.de ([127.0.0.1]) by localhost (flottensignalgeber [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32052-04 for ; Fri, 25 May 2007 15:12:44 +0200 (CEST) Received: from [127.0.0.1] (234.24.3.213.fix.bluewin.ch [213.3.24.234]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ipx11223.ipxserver.de (Postfix) with ESMTP id 671D2DF0009 for ; Fri, 25 May 2007 15:12:44 +0200 (CEST) Message-ID: <4656E0C8.6080801@pooteeweet.org> Date: Fri, 25 May 2007 15:12:40 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by somedaemon at backendmedia.com Subject: PDO "bug" with LIMIT and emulate prepare From: mls@pooteeweet.org (Lukas Kahwe Smith) Hello, A client alerted be to an issue caused by emulate prepare in combination with LIMIT clauses: http://bugs.php.net/bug.php?id=40740 The problem is that any integer that should be inserted into a clause like "LIMIT ?, ?" would be quoted, which MySQL (same I would assume is the case with PostgreSQL, SQLite etc) obviously will not accept. Here is the proposed solution: Well there is no way to hint to MySQL if something is a string or not using emulate_prepare. What I think could make sense is for MySQL to look at the type though. So that: $foo = '1'; // quoted as a string $foo = 1; // interpreted as an integer and therefore not quoted This should be fine for security as well, since integers should not cause any SQL injection issues. Of course this would break any code where people try to insert an integer into a string column. But I think this would be very rare and the benefit would out weight the disadvantages. However I would like to comment on a general issue here. This problem has been solved by many DBAL authors in the PHP space. While the may not be C hackers, they do know databases and the challenges in talking to them from PHP. Please all PDO developers leverage this experience. Feel free to talk to me .. or even better ask on phpdbabstraction@lists.pengus.net, which is where pretty much all of the main DBAL authors in the PHP world are reading. This way we can avoid doing some of the same issues that we have all gone through already. regards, Lukas