Bug #20439
closed
DBAL wildly quotes fields and table names
0%
Description
When issuing a query using $GLOBALS['TYPO3_DB']->exec_SELECTgetRows() method for instance, the actual query being generated has all fields quotes with the proper quote for the selected DBMS.
This is however done in a fully uncontrolled manner as all stuff get quoted resulting in invalid SQL query being issued to the actual DBMS. E.g., using a MSSQL backend, a query is like this:
SELECT "Field1", "Field2" FROM "MyTable" WHERE "Uid" = 1234
and that does not work, MSSQL complains that it cannot parse the query (at least with ADOdb because using Query Analyzer, the query is performed successfuly).
Solution: Use ADOdb built-in function to quote fields and table names and... as it performs a few tests to decide whether quoting is needed or not.
(issue imported from #M11108)
Files
Updated by Xavier Perseguers about 15 years ago
Created v2 of patch as Oracle does not work properly with use of NameQuote() (ADOdb built-in function to quote fields and table names).
This new version adds an option "useNameQuote" to the configuration of the DBAL handler in $TYPO3_CONF_VARS['EXTCONF']['dbal']['handlerCfg']. It defaults to FALSE, meaning NameQuote is not used and existing install still use manual quoting of fields and table name.
Updated by Xavier Perseguers about 15 years ago
This patch was committed as revision 24017 on DBAL-trunk.