Natively PostgreSQL uses e.g. $1 as a parameter marker instead of ?. PDO handles this conversion, but for the native driver we've had to change the markers ourselves.
When this was originally implemented it was assumed all values would be placed in parameters and thus any ? characters would be parameter markers and a simple string replacement could be used. Since then, strings are sometimes embedded to ease pressure on the limited number of parameter markers themselves; strings literals containing ? might therefore now appear in queries, breaking things spectacularly.
Indeed, this part of query construction is poorly tested, so more tests are required. The simplest solution is probably to never embed any string which contains a question mark.
Natively PostgreSQL uses e.g. `$1` as a parameter marker instead of `?`. PDO handles this conversion, but for the native driver we've had to change the markers ourselves.
When this was originally implemented it was assumed all values would be placed in parameters and thus any `?` characters would be parameter markers and a simple string replacement could be used. Since then, strings are sometimes embedded to ease pressure on the limited number of parameter markers themselves; strings literals containing `?` might therefore now appear in queries, breaking things spectacularly.
Indeed, this part of query construction is poorly tested, so more tests are required. The simplest solution is probably to never embed any string which contains a question mark.
jking
added this to the Future milestone 5 years ago
Natively PostgreSQL uses e.g.
$1
as a parameter marker instead of?
. PDO handles this conversion, but for the native driver we've had to change the markers ourselves.When this was originally implemented it was assumed all values would be placed in parameters and thus any
?
characters would be parameter markers and a simple string replacement could be used. Since then, strings are sometimes embedded to ease pressure on the limited number of parameter markers themselves; strings literals containing?
might therefore now appear in queries, breaking things spectacularly.Indeed, this part of query construction is poorly tested, so more tests are required. The simplest solution is probably to never embed any string which contains a question mark.