Skip to content

PdoSessionHandler not escaping identifiers #11131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
INSEAD-asim opened this issue Jun 16, 2014 · 8 comments
Closed

PdoSessionHandler not escaping identifiers #11131

INSEAD-asim opened this issue Jun 16, 2014 · 8 comments
Labels
HttpFoundation

Comments

@INSEAD-asim
Copy link

Hi,
I am using Symfony 2.3.15. I encounter following bugs when I try to implement PdoSessionHandler. I override my own class to overcome following issues. Unfortunately, the library not even throwing any exceptions for these issues.

  1. Table names and Field Names are not escaped so it is not accepting any keyword.
  2. Binding parameter "time" is keyword in MS SQL so it is not working.
  3. Queries are not concatenated using sprintf().
  4. MERGE statement is not working for MS SQL so I had to use default DELETE and INSERT.

Regards,
Asim
@Tobion
Copy link
Contributor

Tobion commented Jun 16, 2014

  1. has been fixed by [HttpFoundation] smaller fixes for PdoSessionHandler #11009 and will be in next patch release
    What do you mean by 3.?

@INSEAD-asim
Copy link
Author

Thanks for no. 4.
Regarding no. 3, queries are written like:
REPLACE INTO $this->table ($this->idCol, $this->dataCol, $this->timeCol)....
where as it would be good to be like:
sprintf(
'REPLACE INTO %s (%s, %s, %s) VALUES (:session_id, :session_data, :session_time)',
$this->table,
$this->idCol,
$this->dataCol,
$this->timeCol
);

@Tobion
Copy link
Contributor

Tobion commented Jun 16, 2014

What's the difference?

@INSEAD-asim
Copy link
Author

I think sprintf() is used in symfony as standard. Anyway, it is not blocking. :)

@Tobion
Copy link
Contributor

Tobion commented Jun 16, 2014

The problem is that different DBMS use different characters for quoting identifiers. And it's not recommended to use to use reserved words anyway. Neither in doctrine. So not sure if worth implementing. See https://github.com/doctrine/dbal/blob/master/lib/Doctrine/DBAL/Platforms/AbstractPlatform.php#L529

@Tobion Tobion changed the title PdoSessionHandler not working properly PdoSessionHandler not escaping identifiers Jun 16, 2014
@INSEAD-asim
Copy link
Author

I will try to work on it for enhancements and send you newer version hopefully.

@Tobion
Copy link
Contributor

Tobion commented Jun 20, 2014

I already looked into fixing it as part of #10931

@fabpot
Copy link
Member

fabpot commented Dec 29, 2014

Closing as @Tobion fixed most "fixable" problems.

@fabpot fabpot closed this as completed Dec 29, 2014
@Tobion Tobion mentioned this issue May 21, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
HttpFoundation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabpot @jakzal @Tobion @INSEAD-asim