Nette\Database quoting backslash, wrong? \ should be \
- mcmatak
- Member | 490
I am creating select query by concatenating string, and variables i quote with this function
return $columnName . " LIKE " . $this->database->getConnection()->quote($value);but this doesnt work, bcs the backslash is not escaped
it should by by documentation like this:
Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.
do i use for sanitizing bad function or where is problem? is it bug? or my fault?
- mcmatak
- Member | 490
mcmatak wrote:
I am creating select query by concatenating string, and variables i quote with this function
return $columnName . " LIKE " . $this->database->getConnection()->quote($value);but this doesnt work, bcs the backslash is not escaped
it should by by documentation like this:
Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.
do i use for sanitizing bad function or where is problem? is it bug? or my fault?
seems that this is behaviour of php pdo driver, and not a bug, it needs to see the whole query, but any suggest how to solve it? also dont know how to move from bugs
- mcmatak
- Member | 490
hm, it seems that Nette\Database doesnt use pdo->prepare so in nette database this doesnt work, and this is bug?
because it doesnt work even if i write it like this
$count = $this->database->queryArgs($query, $queryParams)->fetchField(0);it ignores the mysql \\\\ quote for like, yes?