Description
Description
The following code:
<?php
$connection = odbc_pconnect('Driver=MariaDB;Database=test', 'foobar', 'pass;word')Resulted in this output:
Warning: odbc_pconnect(): SQL error: [ma-3.1.13]Error while parsing DSN, SQL state S1000 in SQLConnect in /home/calvin/src/test-connection-string.php on line 3
But I expected this output instead:
<successful connection>
PDO is also affected.
I dealt with a PHP user's issue where they had a password with a ; in it. Unfortunately, the code that handles the ctor(connection string, uid, pwd) case is naive (both for procedural and PDO) and appends without any special processing. That means the connection string will be mangled (or worse, injectable) if the user application doesn't do what PHP does behind the scenes, but better themselves (do ctor("connection string;uid={uid};pwd={pwd}", null, null), whereas PHP only does ctor("connection string;uid=uid;pwd=pwd", null, null)).
Unfortunately, after reading unixODBC code, it seems clear that the responsibility of parsing these connection strings is at the driver level, so in theory every driver could be handling how to escape strings themselves. It seems the usual standard is {wrap in curly braces}, and some drivers support single quotes. There may be more escaping/quoting rules I'm not aware of (possibly covered by the ODBC standard?). The IBM i Db2 driver seems to support both, but the MariaDB driver only support curly braces.
It could also be that it's not PHP's responsibility to deal with this, but it is unfortunate to have to explain SQLConnect vs. SQLDriverConnect behaviour to people writing application code. If PHP can't escape, perhaps it could warn/error out if user input is problematic.
PHP Version
PHP 8.2.0-dev
Operating System
Fedora 35