[Solar-svn] Revision 2990

pmjones at solarphp.com pmjones at solarphp.com
Tue Mar 11 08:40:06 CDT 2008 

Solar_Sql_Adapter: [FIX] In method quote(), quote *all* scalars, including numerics.  Thanks, Jeff Moore.

----

Jeff Moore wrote:

I've found a rather insidious bug in Solar_Sql_Adapter::quote

This function uses the php is_numeric function to shortcut using the driver built in quoting function, so that if a numeric value is passed it won't be quoted in the standard manner.  So for example, a where clause fragment may end up looking like:

id = 2008

rather than

id = '2008'

However, a problem occurs when this is combined with MySQL's mixed type comparison rules.
(http://dev.mysql.com/doc/refman/5.0/en/type-conversion.html)

If a string and a numeric are compared, the string is converted into a number for the comparison.  For example, the following is TRUE in MySQL:

SELECT "2008/u-r-screwed" = 2008

While this comparison is of course false:

SELECT "2008/u-r-screwed" = "2008"

So, where you have a string column defined and you use solar to quote a value to compare against it and that value happens to contain a valid string representation of a number, then you have the potential to match more records than you bargained for.

Additionally, MySQL cannot use an index for the column in this type of comparison, which may cause your query to be inexplicably slow in the case where a quoted value happens to be numeric.

I'd recommend modifying Solar_Sql_Adapter::quote to remove the is_numeric shortcut.



Modified: trunk/Solar/Sql/Adapter.php
===================================================================
--- trunk/Solar/Sql/Adapter.php	2008-03-11 11:02:57 UTC (rev 2989)
+++ trunk/Solar/Sql/Adapter.php	2008-03-11 13:40:05 UTC (rev 2990)
@@ -1178,11 +1178,8 @@
                 $val[$k] = $this->quote($v);
             }
             return implode(', ', $val);
-        } elseif (is_numeric($val)) {
-            // no need to quote numerics
-            return $val;
         } else {
-            // quote all other scalars
+            // quote all other scalars, including numerics
             $this->connect();
             return $this->_pdo->quote($val);
         }

More information about the Solar-svn mailing list