Quote:
Originally Posted by SpotSec
you do notice that your using single quotes that aren't escaped?
|
No, I say that I dont found any option to configure the PDO:MySQL -> prepare( $sql ) to DO NOT PARSE my query.
Anyway, the PDO library parse the query and interprets the quotation mark character as a bind parameter. Also, its not everytime the case, you may have database contents containing the "?" character !
Try to execute the folowing code :
PHP Code:
$params = array(
'host' => '127.0.0.1',
'username' => 'webuser',
'password' => 'xxxxxxxx',
'dbname' => 'test');
$db = Zend_Db::factory('Pdo_Mysql', $params);
$db -> query("UPDATE table SET col = 'Are you fine ?' WHERE 1");
How to do to have the correct string (Are you fine ?) in database ? The quotation mark is systematically interpreted and replaced with a single quote !
Thanks in advance for your help. I hope my english is no so poor !