locked
why does quote() method null-terminate strings? RRS feed

  • Question

  • My environment:

    Windows XP  SP2; Apache 2.2.11; PHP 5.2.9-1; SQL Server 2005 Developer Edition; SQL Server 2008 Native drivers

    I'm using the Yii framework v1.1.3, which wraps PDO functions

    case 1) using 'mssql' driver, the quote() method returns a normally-quoted  string.

      $var = 'ABC';

      $quotedVar = pdo->quote($var);  // returns  'ABC'

    case 2) using 'sqlsrv' driver, the quote() method returns a quoted, NULL-TERMINATED string.  WHY?

      $var = 'ABC';

      $quotedVar = pdo->quote(var);  // returns 'ABC'\0000

    The problem arises when I form a "criteria" object in Yii (CDbCriteria), which is basically the 'where' clause to be executed.  If the quote() method returns the null-terminated string, it is impossible to append anything further.   The old mssql driver does not return a null-terminated string, hence anything can be concatenated to the result.

    I like the CTP 2.0 driver very much, mainly for two improvements

      a) implementation of connection-pooling

      b) mssql driver returns empty string as blank space, which is a serious bug. 

    BUT - the quote() method is proving something of a problem. I've worked around it in one situation by reversing the order of concatenation, since the two clauses are AND'ed together.  But in the long run it may prove a bigger problem.  Advice welcome.

    - Jeremy

    Friday, July 30, 2010 9:26 PM

Answers

  • Thanks for reporting this. I have confirmed that this is an issue in our PDO_SQLSRV driver. We are looking forward to fix this in the next release of our driver.

    Tuesday, August 3, 2010 8:45 PM

All replies

  • Thanks for reporting this Jeremy, we are looking at this issue internally.
    Ashay Chaudhary
    SQL Server Driver for PHP (http://blogs.msdn.com/sqlphp)
    All information provided "as-is" and without warranty.
    Tuesday, August 3, 2010 8:00 PM
  • Thanks for reporting this. I have confirmed that this is an issue in our PDO_SQLSRV driver. We are looking forward to fix this in the next release of our driver.

    Tuesday, August 3, 2010 8:45 PM
  • When do you anticipate having this resolved?  I'd really like to not have to use magic_quotes in order to properly escape single quotes in my pre-sql data.

    Wednesday, April 27, 2011 10:15 PM
  • Bruce,

    It appears that this issue was resolved in version 2.0.1. Have you tried the latest version? If yes, are you still seeing issues?

     

    Thanks,

    Jonathan


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 28, 2011 6:12 PM
  • If it is not resolved, you can always call rtrim($quotedVar,"\0"); in php.

    Edit: It is resolved, PDO::quote() works.


    Rob
    Thursday, May 5, 2011 1:02 PM
  • If it is not resolved, you can always call rtrim($quotedVar,"\0"); in php.

    Edit: It is resolved, PDO::quote() works.


    Rob

     

    As far as I'm concerned this is still an issue and PDO::quote() won't work: 

    "Fatal error: Non-static method PDO::quote() cannot be called statically".

     

    Tuesday, May 10, 2011 9:14 AM
  • My apologies, it is resolved in version 2.0.1!
    Tuesday, May 10, 2011 9:36 AM