DeutschEnglish

Submenu

 - - - By CrazyStat - - -

7. October 2012

SQLite: escaping table and column names correctly

Filed under: DBMS,PHP,phpLiteAdmin — Tags: , , , , , , , , , , — Christopher Kramer @ 21:44

Summary:

Use double quotes around column names, table names, trigger names etc.

SELECT "column name", "my column", FROM "table name"

Use single quotes around string values

SELECT * FROM "table name" WHERE "column name" = 'string value'

Use two double quotes if e.g. your column name contains a double quote (e.g. my”column)

SELECT "my""column" FROM "my""table"

Details:

I joined the development team of phpliteadmin some months ago and am currently fixing several issues. One problem is caused by SQLite’s flexibility of column- and table names. A column named “SELECT”, “my column”, “this, that”, or even “this contains ‘single quotes'” is completely legal in SQLite. And what is legal is being used. So phpliteadmin needs to be able to handle these types of names as well, which is not really the case at the moment.

Let’s assume you query a column called “select”, you are likely to get errors like that in PHP:

Warning: SQLiteDatabase::query() [sqlitedatabase.query]: near “select”: syntax error in …

Or using PDO:

HY000 / 1 / near “select”: syntax error

From MySQL I knew backticks around table or column identifiers like in this example:

SELECT `select`, `my column`, `this, that` FROM `group by table`

(By the way, you see my syntax highlighter has problems with reserved words as column names as well ;-))

I tried this in SQLite and it worked, so I went that way. But there are different versions of SQLite and for the old version that, in PHP, is implemented by SQLiteDatabase, would give the following error:

Warning: SQLiteDatabase::query() [sqlitedatabase.query]: unrecognized token: “`” in …

So I found out that instead of backticks, normal single quotes work:

SELECT * FROM 'group by table'

This works well, but there is a problem here with column names:

SELECT 'select' FROM 'group by table'

This will not work as expected. It will not return the values of the column ‘select’, but create a column filled with the text ‘select’. That is of course standard SQL behaviour and shows that it is a bad idea to use single quotes around column or table names. The bug report by maitredede on the phpliteadmin issue tracker made me aware of another way to escape column and table names:

SELECT [select], [my column], [this, that] FROM [group by table]

This works very well, both with SQLiteDatabase, SQLite3 and PDO when accessing SQLite from PHP. I have not tried it using the SQLite C library directly, but it should work as well.

So I’d say this is the best way to do this as it works the same way with all versions of SQLite / all PHP SQLite extensions.

 

Update:

Well, probably I should have read the manual first:

SQlite supports ` for compatibility with MySQL and [] for compatibility with MS Access and SQL Server. But it also supports double quotes, which is standard SQL. So I’d say this is the best way to do it:

SELECT "select", "my column", "this, that" FROM "group by table"

It works with all SQLite versions / extensions just like the [] syntax. (And my syntax highlighter supports it as well ;-).)

Update 2:

Another thing that might be of interest: What to do, if a column/table name contains double quotes? Well, in this case duplicate them and you are done. Let’s assume you have a column called like this:

my “column

Then you query it like this:

SELECT "my""column" FROM "my_table"

Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.

4. October 2012

PDO / sqlite: database table is locked

Filed under: DBMS,PHP,phpLiteAdmin — Tags: , , , , , , , — Christopher Kramer @ 22:06

At the moment I am working again on phpliteadmin, a  php-based web GUI for database administration of sqlite databases. While debugging, I stumbled across a problem that only occurred with the PDO extension (not with SQLiteDatabase or SQLite3). I got the following error message while trying to drop a table:

HY000 / 6 / database table is locked

By the way, you can use PDO::errorInfo() to get these error messages. So as the error correctly explains, the table I tried to drop seemed to be in use. PDO documentation for PDO::query() also explains the problem (even though DROP TABLE statements are fired using PDO::exec()):

If you do not fetch all of the data in a result set before issuing your next call to PDO::query(), your call may fail. Call PDOStatement::closeCursor() to release the database resources associated with the PDOStatement object before issuing your next call to PDO::query().

So I hunted for the open cursor on a resultset of the table in question and could not find any. Finally, I found the SQL statement which still had an open cursor:

SELECT * FROM sqlite_master

Thinking about this, it is obvious: When querying sqlite_master, you request information about database tables. If one of the table gets altered or dropped, this might change the data listed in the resultset on which I still have a cursor.

Maybe this is a special case as usually you do not query sqlite_master a lot. But in case you do, this might be useful information.

To solve the problem, as the manual says, simply release the cursor using PDOStatement::closeCursor() before dropping/altering tables.

2. December 2011

CrazyStat 1.71 changes & features

Filed under: CrazyStat — Tags: , , , , , — Christopher Kramer @ 21:24

As promised, some more news about what’s new in upcoming version 1.71 of my PHP visitor analytics script CrazyStat:

  • New language: Danish language file (as already announced)
  • New feature: Average and total visting time analysed (hits module)
  • New feature: The files in the files-module can now be linked to the page counted
  • New logo: CrazyStat has a new logo thanks to Kartoffelpfluecker
  • Privacy improved: Reworked anonymous IPs. Now “anonymous IPs” look like normal ones and keep the first two octets. This way, the visitor’s country can be detected by IP, but the IP is still anonymous as the last two octets can not be reworked. Now this is turned on by default.
  • New privacy feature: Optionally, CrazyStat now respects the “Do-Not-Track” header that some browsers send if the user tells it to. When this is turned on, hits by those users will not be logged at all. Note that strictly speaking, CrazyStat never “tracks” users (does not use cookies etc.) and therefore by turning this on, you respect your users’s privacy even more than they asked for.
  • Browser detection: new browsers included in the keywords file (all those new Firefox-versions…), IE8 and IE9 now correctly detected in compatibility mode.
    Note that this is already available for CrazyStat 1.70 from the download page
  • PHP4 support removed. CrazyStat no longer comes with workarounds for old PHP4 installations, so PHP5.1 is required. Please update to PHP5, as PHP4 is insecure
  • Language-cookie “lang” renamed into “CrazyStat_lang” to avoid collisions with other scripts
  • Decimal separators now language-specific
  • Fixed a bug that caused weird ordering of days in some months
  • Lots of smaller bug fixes like invalid XHTML and PHP notice messages

Please let me know your opinion about the changes. I know it’s not a lot of great new features but more a maintenance update.

30. November 2011

CrazyStat 1.71 will speak Danish

Filed under: CrazyStat — Tags: , , — Christopher Kramer @ 14:19

As you might know, as of version 1.70, CrazyStat is a multi-language script. Originally, CrazyStat was available in German only. But in 1.70, I translated the interface and documentation into English to make CrazyStat available to a broader audience. Soon after I published the first release Candidate of CrazyStat 1.70, somebody (plaise.nl) voluntarily translated CrazyStat into Dutch. So when I released CrazyStat 1.70 final, CrazyStat included language files for German, English and Dutch.

Now Liza Overgaard sent me her translation of CrazyStat into Danish. She did not only translate the user interface, but also the readme file and even plans to translate the FAQ and config-documentation.

So upcoming CrazyStat 1.71 will include a Danish language file and documentation. Thanks a lot to all translators for their work that helps to spread CrazyStat.

If you speak some language that is not yet supported by CrazyStat, it would be great if you could translate CrazyStat into your language. It only takes a few hours as CrazyStat does not have much text on the user interface. Of course your work will be honoured by mentioning you in the changelog of CrazyStat and in the news. I will even link to your website if you want, which will lead visitors to your site and create a lot of backlinks.

Please contact me, if you are interested in translating CrazyStat. I also need somebody who supports the Dutch translation as plaise.nl stopped translating open-source software and I need a couple of small texts translated that are new in 1.71.

Thanks everybody for using CrazyStat. Especially to all translators.

More news about the upcoming version of the analytics script CrazyStat 1.71 will be published here and on twitter soon. Stay tuned.

« Newer Posts