ODBC query param preprocessing (PDO::quote() not implemented by PDO_ODBC)

Question

ODBC query param preprocessing (PDO::quote() not implemented by PDO_ODBC)

zvizesna opened this issue 6 years ago · 0 comments

Version: 2.4.6

Before executing a database query, query parameters are parsed and escaped in the method formatValue in SqlPreprocessor. If the param is of type string, it is then passed to PDO::quote().
However, according to PHP.net, PDO::quote() is not implemented by PDO_ODBC:

Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead.

As a result, queries with ? placeholders for string params are stripped off the placeholders, but the actual param values are not filled in. Therefore the preprocessed query produces an SQL syntax error.

Call stack:

PDO::quote()
Nette\Database\Connection:143 quote()
Nette\Database\SqlPreprocessor:122 formatValue()
Nette\Database\SqlPreprocessor:63 process()
Nette\Database\Connection:207 preprocess()
Nette\Database\Connection:178 query()