$test = "foo ' bar";
$quoted = $conn->quote( $test );
RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'
Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8
Backported to 2.0.9
Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7
This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.