[Typo3-dev] quoting SQL-identifiers
Martin Kutschker
martin.kutschker at no5pam.blackbox.net
Fri Apr 22 12:00:49 CEST 2005
Hi!
It's possible to quote SQL-identifiers (eg table names) to avoid a clash
with reserved names.
It seems that ANSI-standard are " (double quotes). Mysql uses ` (back ticks)
unless in ANSI mode (SET sql_mode='ANSI_QUOTES'). But you need 3.23.6 to get
quoting at all. How about other RDBMS'?
Question:
Should we use identifier quoting in TYPO3 per default?
How should this be accomplished?
Possible soultion (if needed at all):
t3lib_db->quoteIdentifier($ident)
Opinons?
Masi
PS: Mind that this kind of quoting is NO protection against SQL-injection.
The user should never be able to enter a SQL-identifier directly.
More information about the TYPO3-dev
mailing list