2012/4/19 Chris Angelico
<rosuav@gmail.com>
No; ditch them. I mean no offense to you personally, but these
functions are not worth keeping. Every SQL API includes a function for
quoting something as a literal string. With PDO, it's this one:
http://www.php.net/manual/en/pdo.quote.php
I don't know where you would be using sql2str, but it's just as
dangerous as the others (not to mention inefficient, there's no need
to use regular expressions for simple string replacement). Replace all
your calls to any of these functions with standard quoting functions
and see if your problem disappears. If not, well, it's still not been
a fruitless exercise, because now you are relying for safety and
security on something that the database engine promises is correct :)
OK, OK, this comes from an old workaround with SQLite3...
I put the query into a try / catch like that :
$sql="INSERT INTO categories (idx, ctime, mtime, name) VALUES ( $idx, '$dat', '$dat', '".str2sql(quoteAsAre($name))."' ) RETURNING rowid;";
$xml.="<sql>$sql</sql>";
try {
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$ret=$db->query($sql);
$row=$ret->fetch();
$rowid=$row['rowid'];
$xml.="<rowid>$rowid</rowid>";
} catch (PDOException $e) {
$xml.="<PDOException>".$e->getMessage()."</PDOException>";
}
with that i can read the sql and the error.
I'l follow your advice about quoting, ASAP )))
--
Yvon
