Notes on behaviour changes in ODBC for 8.2

NattyNarwhal · NattyNarwhal · commit 109fa143b1f1 · 2022-04-22T12:04:47.000-03:00
diff --git a/UPGRADING b/UPGRADING
@@ -19,6 +19,19 @@ PHP 8.2 UPGRADE NOTES
 1. Backward Incompatible Changes
 ========================================
 
+- ODBC:
+  . The ODBC extension now escapes the username and password for the case when
+    both a connection string and username/password are passed, and the string
+    must be appended to. Before, user values containing values needing escaping
+    could have created a malformed connection string, or injected values from
+    user-provided data. The escaping rules should be identical to the .NET BCL
+    DbConnectionOptions behaviour.
+
+- PDO_ODBC:
+  . The PDO_ODBC extension also escapes the username and password when a
+    connection string is passed. See the change to the ODBC extension for
+    further details.
+
 - Standard:
   . strtolower() and strtoupper() are no longer locale-sensitive. They now
     perform ASCII case conversion, as if the locale were "C". Use
@@ -68,6 +81,13 @@ PHP 8.2 UPGRADE NOTES
     possible to use numbered subpattern references, and the matches array will
     still contain numbered results.
 
+- Standard:
+  . Added odbc_connection_string_is_quoted, odbc_connection_string_should_quote,
+    and odbc_connection_string_quote. These are primarily used behind the scenes
+    in the ODBC and PDO_ODBC extensions, but is exposed to userland for easier
+    unit testing, and for user applications and libraries to perform quoting
+    themselves.
+
 ========================================
 3. Changes in SAPI modules
 ========================================
