MySQL/PDO::quote() 尽管使用 PDO::PARAM_INT 参数,但仍在整数周围加上引号
看来无论我传递给 $pdo->quote($value, $type); 的值/数据类型对,它总是将其作为字符串引用:
echo $pdo->quote('foo', PDO::PARAM_STR); /* 'foo', as expected */
echo $pdo->quote(42, PDO::PARAM_INT); /* '42', expected 42 unquoted */
我只是好奇知道这是否是预期的功能。我使用准备好的语句来执行实际查询,但我正在尝试fetch创建最终查询字符串(用于调试/缓存),并手动构建它们。
正如标题所示,这是使用 MySQL 驱动程序创建 $pdo 的时间。由于不可用,我没有尝试过其他的。
It appears no matter what value/data-type pair I pass to $pdo->quote($value, $type);, it always quotes it as a string:
echo $pdo->quote('foo', PDO::PARAM_STR); /* 'foo', as expected */
echo $pdo->quote(42, PDO::PARAM_INT); /* '42', expected 42 unquoted */
I'm just curious to know if this is the intended functionality. I use prepared statements for actual query execution, but I'm trying to fetch create the final querystrings (for debugging/caching), and am constructing them manually.
As the title suggests, this is when $pdo is created using the MySQL driver. I haven't tried others due to unavailability.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
PDO: :PARAM_STR_NATL和PDO::PARAM_STR_CHAR标志);否则,它会忽略参数类型。您期望的(缺乏)行为被报告为错误并关闭为“bogus”,意思是该行为是有意设计的。当文档指出以下内容时,可能会产生误导:
虽然这表明可能存在值没有被引号包围的情况,但它并没有说肯定有,也没有它说明了这些实例是什么。如果您认为这是文档中的错误,请提交错误报告,最好包含修复程序。
PDO::PARAM_STR_NATLandPDO::PARAM_STR_CHARflags); otherwise, it ignores the param type.The (lack of) behavior you expect was reported as a bug and closed as "bogus", meaning the behavior is by design. Perhaps the documentation is misleading when it states:
While this suggests there may be instances when values aren't surrounded by quotes, it doesn't say there definitely are, nor does it state what those instances are. If you feel this is a bug in documentation, submit a bug report, preferably with a fix.
根据 PDO 开发人员的说法,这是他们的代码和文档中的故意错误。
他们似乎不打算纠正它,因此您可以通过包装他们的错误函数并根据需要替换行为来自己完成。
实际上你别无选择,因为在某些情况下你需要对数字进行正确的引用行为,你不能在任何地方都使用字符串引用,因为 SQL 可能不接受它。
作为旁注,上述函数将从任何非法数据中生成 0。
SQL 注入是不可能的,但不会引发错误。
如果您想捕获错误,您可以对两个变量执行“strlen”,如果不同,您就知道存在问题或入侵尝试。
According to the PDO developers it's a intentional error in their code and in their documentation.
They do not seem to plan to correct it, so you can do it yourself by wrapping their errornous function and replacing the behaviour as needed.
You actually have no choice as in some cases you NEED a correct quote behaviour for numbers, you can't just use string quoting everywhere as SQL might just not take it.
As a sidenote, the above function will make a 0 out of any illegal data.
SQL injections are not possible but it will not throw an error.
If you want to catch errors you could do a "strlen" on both variables and if that differs you know there was a problem or an intrusion attempt.