Hi,

I'm trying to run the folowing query, without success. Evertime the "?" in the query is replaced (quoted) by the "'" character and a get a wrong record value in database :

Col contains : Are you fine '

Any idea ???

you do notice that your using single quotes that aren't escaped?

__________________
SpotSec Network Gateway Project on SourceForge
SpotSec Network Gateway Project Home

SpotSec Blog:
http://spotsec.com/blog

No, I say that I dont found any option to configure the PDO:MySQL -> prepare( $sql ) to DO NOT PARSE my query.

Anyway, the PDO library parse the query and interprets the quotation mark character as a bind parameter. Also, its not everytime the case, you may have database contents containing the "?" character !

Try to execute the folowing code :



How to do to have the correct string (Are you fine ?) in database ? The quotation mark is systematically interpreted and replaced with a single quote !

Thanks in advance for your help. I hope my english is no so poor !

That's becuase you should be escaping your values. e.g.
$db->quoteInto('UPDATE table SET col = ? WHERE 1', 'Are you fine ?'); or
$db->query('UPDATE table SET col = '.$db->quote('Are you fine ?').' WHERE 1');
This prevents sql injection attacks, also ensures that any special chars are escaped for use with the database you are currently using, plus allows the sql produced to work in different db servers (e.g. you currrent sql wouldn't work in postgresql)

Thanks for your help, letssurf.
You're right, next time, I will read the manual with more attention !

So many works to make applications secured...