1. phpLiteAdmin Avatar phpLiteAdmin
  2. phpLiteAdmin
  3. public
  4. Issues

quote does not properly quote input

Issue #72 duplicate
Former user created an issue

Originally reported on Google Code with ID 72 ``` What steps will reproduce the problem? 1. use the SQLite 3 driver or the sqlite driver 2. insert a row with a special character eg $

What is the expected output? It should insert a row into the database

What do you see instead? Warning: SQLiteDatabase::query() [sqlitedatabase.query]: unrecognized token: "$" in C:\wamp\www\phpliteadmin.php on line 664

Call Stack

  1. Time Memory Function Location 1 0.0076 2410200 {main}( ) ..\phpliteadmin.php:0 2 0.0120 2455560 Database->query( ) ..\phpliteadmin.php:2118 3 0.0120 2455656 SQLiteDatabase->query( ) ..\phpliteadmin.php:664

What version of the product are you using? On what operating system? 1.9.0 windows

Please provide any additional information below.

The pdo quote function will escape the input and put single quotes before and after the input however the sqlite3 and sqlite escape string functions will escape quotes but not add the quotes before and after the input like pdo.

To fix use this quote function instead

line 930 correctly escape a string to be injected into an SQL query public function quote($value) { if($this->type=="PDO") { return $this->db->quote($value); } else if($this->type=="SQLite3") { return '\''.$this->db->escapeString($value).'\''; Add quotes } else { return '\''.sqlite_escape_string($value).'\''; Add quotes. } }

```

Reported by `nipten` on 2011-12-01 19:15:19

Comments (3)

  1. Former user Account Deleted

    ``` Is this the solution of my problem in issue 84? It looks to me that this is a better (because structural) solution than the temporary fix that I applied.

    Were there any unsuspected effects after applying this fix in dec.2011? If not I will remove my fix and apply this one.

    Thanks.......ekevanbatenburg@gmail.com ```

    Reported by `ekevanbatenburg` on 2012-03-15 00:44:58

  2. Former user Account Deleted

    ``` Yea looks like the same bug I had I initaly tried your soltuion before putting it in the quote function. I think this is a better all round fix for the issue but as you stated in issue 84 it could cause problems with numbers. For the most part even if a number is encased in quotes like a string mysql will convert it to a number or the feld type as expected.

    Havent properly tested it but so far it has worked as expected when running insert, update, select, delete and importing/backup from file. ```

    Reported by `nipten` on 2012-04-03 22:33:19

  3. Christopher Kramer

    ``` This is a duplicate of #75. The problem should be fixed in 1.9.2 therefore. I fixed the issue the same way as you did. ```

    Reported by `crazy4chrissi` on 2012-05-30 14:42:25 - Status changed: `Duplicate` - Merged into: #75

  4. Log in to comment
Assignee
Type
bug
Priority
minor
Status
duplicate
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!