ODBC query param preprocessing (PDO::quote() not implemented by PDO_ODBC)
zvizesna opened this issue · 0 comments
Version: 2.4.6
Before executing a database query, query parameters are parsed and escaped in the method formatValue in SqlPreprocessor. If the param is of type string, it is then passed to PDO::quote().
However, according to PHP.net, PDO::quote() is not implemented by PDO_ODBC:
Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead.
As a result, queries with ?
placeholders for string params are stripped off the placeholders, but the actual param values are not filled in. Therefore the preprocessed query produces an SQL syntax error.
Call stack:
PDO::quote()
Nette\Database\Connection:143 quote()
Nette\Database\SqlPreprocessor:122 formatValue()
Nette\Database\SqlPreprocessor:63 process()
Nette\Database\Connection:207 preprocess()
Nette\Database\Connection:178 query()