Nette\Database quoting backslash, wrong? \ should be \

4 years ago

mcmatak
Member | 499
+
0
-

I am creating select query by concatenating string, and variables i quote with this function

return $columnName . " LIKE " . $this->database->getConnection()->quote($value);

but this doesnt work, bcs the backslash is not escaped

it should by by documentation like this:

Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.

do i use for sanitizing bad function or where is problem? is it bug? or my fault?

4 years ago

mcmatak
Member | 499
+
0
-

mcmatak wrote:

I am creating select query by concatenating string, and variables i quote with this function

return $columnName . " LIKE " . $this->database->getConnection()->quote($value);

but this doesnt work, bcs the backslash is not escaped

it should by by documentation like this:

Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.

do i use for sanitizing bad function or where is problem? is it bug? or my fault?

seems that this is behaviour of php pdo driver, and not a bug, it needs to see the whole query, but any suggest how to solve it? also dont know how to move from bugs

https://bugs.php.net/bug.php?…

4 years ago

mcmatak
Member | 499
+
0
-

hm, it seems that Nette\Database doesnt use pdo->prepare so in nette database this doesnt work, and this is bug?

because it doesnt work even if i write it like this

$count = $this->database->queryArgs($query, $queryParams)->fetchField(0);

it ignores the mysql \\\\ quote for like, yes?