When I run the following simple query inside Microsoft Access:
select * from movie where moviename like 'batman'
it works.
Also using double quotes around the string works:
select * from movie where moviename like "batman"
I have a website where the user can type in any select query which PHP will then run and returning the record results to the user. I use PDO/ODBC to connect to the Access database. If the user types in query 1 it works, but query 2 fails with:
[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1. (SQLExecute[-3010] at ext\pdo_odbc\odbc_stmt.c:254)
The documentation says about quote() function:
"Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead."
but I can't use prepared statement as I don't know what query the user will type in. Sometimes they use '...' around a string and sometimes "...".
To reproduce you only need an Access (.mdb/.accdb) database with at least one table called 'film' and a column 'titel'. Put some records in it. At least 1 with 'Batman'. Use the following testscript:
//also using a older Access version of the database "film.mdb" didn't work
//be sure to use full/absolute pathname
$dbnameFile="C:\\wamp\\www\\elearning2\\databases\\film.accdb";
$username="";
$password="";
$accessdriver="{Microsoft Access Driver (*.mdb, *.accdb)}";
$dbDB = new PDO("odbc:Driver=$accessdriver;Dbq=$dbnameFile", $username, $password,
array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
//Testcases, comment all but one
//Testcase 1: works
$sql="select * from film where titel like 'Batman'";
//Testcase 2: works
$sql='select * from film where titel like \'Batman\'';
//Testcase 3: COUNT field incorrect: -3010 [Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
$sql="select * from film where titel like \"Batman\"";
//Testcase 4: COUNT field incorrect: -3010 [Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
$sql='select * from film where titel like "Batman"';
//Testcase 5: Syntax error (missing operator) in query expression 'titel like \[Batman\]
$sql='select * from film where titel like \"Batman\"';
//Testcase 6: Syntax error (missing operator) in query expression 'titel like []Batman[]
$sql='select * from film where titel like ""Batman""';
$result=$dbDB->query($sql);
$rows=$result->fetchAll(PDO::FETCH_ASSOC);
$result->closeCursor();
foreach($rows as $row) {
echo $row["TITEL"]."
";
echo "<br>";
}
$dbDB=null;
How can I properly escape a user given SQL query for PHP/PDO/ODBC/Access? Or is it just not possible to use a "..." string delimiter, despite working in Access?
I also find the error messages for testcase 5 and 6 odd. It looks like the double quote is changed into a [
or ]
??
I can't use bind parameters, prepared statements or rewrite the query because the query is totally unknown and given by the user and can also contain syntax error(s). I can't modify this user query and just want it to be executed by PDO/ODBC but how?
I use Apache 2.4.9 and PHP 5.5.12 running locally on a Windows 7 SP1 machine.
I posted an official PHP bug report