Finalize

Author: bolner

README.md

@@ -294,7 +294,7 @@ $result3 = $connection3->Query("...");
 | <strong>Query</strong> | Execute an SQL query and return its response. For 'select' queries the response can be iterated using a 'foreach' statement. You can pass an array as second parameter to execute the query as prepared statement, where the array contains the parameter values. SECURITY WARNING: For prepared statements in MonetDB, the parameter values are passed in a regular 'EXECUTE' command, using escaping. Therefore the same security considerations apply here as for using the Connection->Escape(...) method. Please read the comments for that method. <br><br><strong>@param</strong> <em>string</em> <strong>$sql</strong><br><strong>@param</strong> <em>array</em> <strong>$params</strong> <em>= null</em> : An optional array for prepared statement parameters. If not provided (or null), then a normal query is executed, instead of a prepared statement. The parameter values will retain their PHP type if possible. The following values won't be converted to string: null, true, false and numeric values.<br><strong>@return</strong> <em>Response</em> |
 | <strong>QueryFirst</strong> | Execute an SQL query and return only the first row as an associative array. If there is more data on the stream, then discard all. Returns null if the query has empty result. You can pass an array as second parameter to execute the query as prepared statement, where the array contains the parameter values. <br><br><strong>@param</strong> <em>string</em> <strong>$sql</strong><br><strong>@param</strong> <em>array</em> <strong>$params</strong> <em>= null</em> : An optional array for prepared statement parameters. If not provided (or null), then a normal query is executed, instead of a prepared statement. See the 'Query' method for more information about the parameter values.<br><strong>@return</strong> <em>string[] -or- null</em> |
 | <strong>Command</strong> | Send a 'command' to MonetDB. Commands are used for configuring the database, for example setting the maximal response size, or for requesting unread parts of a query response ('export').<br><br><strong>@param</strong> <em>string</em> <strong>$command</strong><br><strong>@param</strong> <em>bool</em> <strong>$noResponse</strong> <em>= true</em> : If true, then returns NULL and makes no read to the underlying socket.<br><strong>@return</strong> <em>Response -or- null</em> |
-| <strong>Escape</strong> | Escape a string value, to be inserted into a query, inside single quotes. SECURITY WARNING: Currently no successful SQL-injection attacks are known, but this function was implemented without full knowledge of the parsing algorithm on the server side, therefore it cannot be trusted completely. Use this library only for data analysis, but don't use it for authentication or session management, etc. Non-authenticated users should never have the opportunity to execute parameterized queries with it, and never run the server as root. As a security measure this library forces the use of multi-byte support and UTF-8 encoding, which is also used by MonetDB, avoiding the SQL-injection attacks, which play with differences between character encodings. The following characters are escaped by this method: backslash, single quote, carriage return, line feed, tabulator, null character, CTRL+Z.<br><br><strong>@param</strong> <em>string</em> <strong>$value</strong><br><strong>@return</strong> <em>string</em> |
+| <strong>Escape</strong> | Escape a string value, to be inserted into a query, inside single quotes. The following characters are escaped by this method: backslash, single quote, carriage return, line feed, tabulator, null character, CTRL+Z. As a security measure this library forces the use of multi-byte support and UTF-8 encoding, which is also used by MonetDB, avoiding the SQL-injection attacks, which play with differences between character encodings. <br><br><strong>@param</strong> <em>string</em> <strong>$value</strong><br><strong>@return</strong> <em>string</em> |
 | <strong>ClearPsCache</strong> | Clears the in-memory cache of prepared statements. This is called automatically when an error is received from MonetDB, because that also purges the prepared statements and all session state in this case. |
 | <strong>GetMaxReplySize</strong> | The maximal number of tuples returned in a response.<br><br><strong>@return</strong> <em>int</em> |
 

src/Connection.php

@@ -424,24 +424,15 @@ public function Command(string $command, bool $noResponse = true): ?Response
 
     /**
      * Escape a string value, to be inserted into a query,
-     * inside single quotes. SECURITY WARNING:
-     * Currently no successful SQL-injection attacks are known,
-     * but this function was implemented without full knowledge
-     * of the parsing algorithm on the server side, therefore
-     * it cannot be trusted completely. Use this library
-     * only for data analysis, but don't use it for
-     * authentication or session management, etc.
-     * Non-authenticated users should never have the
-     * opportunity to execute parameterized queries with
-     * it, and never run the server as root.
+     * inside single quotes.
+     * The following characters are escaped by this method:
+     * backslash, single quote, carriage return,
+     * line feed, tabulator, null character, CTRL+Z.
      * As a security measure this library forces the use of
      * multi-byte support and UTF-8 encoding, which is also
      * used by MonetDB, avoiding the SQL-injection attacks,
      * which play with differences between character encodings.
-     * The following characters are escaped by this method:
-     * backslash, single quote, carriage return,
-     * line feed, tabulator, null character, CTRL+Z.
-     *
+     * 
      * @param string $value
      * @return string
      */