PDO::quote alternative
psafarov opened this issue · 6 comments
As currently it is not possible to send multiple statements with one execute
call as it uses prepared statements, it would be nice to have a function to escape/quote scalar values before using them in sql sent via query
function.
Please use prepared statements instead.
Escaping is encoding dependent and thus hard to implement correctly while covering all edge cases. If we don't cover all edge cases, there will be a false sense of security. A much better solution exists: Prepared statements.
I believe prepared statements are not a silver bullet and escaping values is justified in some cases. But if you say that it is difficult to implement...
@kelunik In my case I need to send two statements SELECT ... FOR UPDATE
and UPDATE
. The problem with SELECT ... FOR UPDATE
is that it increases probability of deadlock occurrence, so we need to execute UPDATE
asap. Sending both statements at once is a solution here, but we also need to pass parameters and that where it falls down, as the only safe way to pass parameters is a prepared statement. So we have two features: safe parameters injecting and multi statements which don't work together. Something like PDO::quote would save us here
@kelunik Another example, LOAD DATA INFILE which doesn't work via prepared statements, but we still might want to insert some dynamic values.
This is something we currently don't plan to implement. For many simple strings this is something which can be implemented by library users using regular expressions or similar for validation instead of building escaping logic. Users should generally prefer using prepared statements instead.