PHP :: Bug #39483 :: Problem with using placeholders and string constants in PDO MySQL

Bug #39483

Problem with using placeholders and string constants in PDO MySQL

Submitted:

2006-11-12 16:23 UTC

Modified:

2006-12-04 00:41 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

suhachov at gmail dot com

Assigned:

Status:

Closed

Package:

PDO related

PHP Version:

5.2.0

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2006-11-12 16:23 UTC] suhachov at gmail dot com

Description:
------------
It seems that PDO sql parser is broken and tries to look for placeholders within string constants.

$dbh = new PDO('mysql:...','...','...');
$sth = $dbh->prepare('SELECT my_udf(\'\0:D\0\'),?');
$sth->execute(array(1));

This code triggers an error:
PDO::prepare(): SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters

And I can't replace string constant with placeholder, because MySQL doesn't allows to use placeholders with UDFs.

Reproduce code:
---------------
see above.
You even don't need any installed UDF.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-11-12 17:56 UTC] iliaa@php.net

which version of MySQL are you using?

[2006-11-12 18:05 UTC] suhachov at gmail dot com

I've tried it with:
5.0.26
4.1.15

[2006-11-12 18:11 UTC] suhachov at gmail dot com

Oh! I've forgot to note: when I compile pdo_mysql with 5.0 libraries, I get this error. When I compile it with 4.1 libraries, I get another error, but at the same place.

[2006-11-14 18:43 UTC] suhachov at gmail dot com

I suggest you some patch to fix this problem:

pdo_sql_parser.re:
        (["] (ESCQQ|ANYNOEOF\[\\"])* ["])      { RET(PDO_PARSER_TEXT); }
        (['] (ESCQ|ANYNOEOF\[\\'])* ['])       { RET(PDO_PARSER_TEXT); }
replace with:
        (["] (ESCQQ|[\\]ANYNOEOF|ANYNOEOF\[\\"])* ["])      { RET(PDO_PARSER_TEXT); }
        (['] (ESCQ|[\\]ANYNOEOF|ANYNOEOF\[\\'])* ['])       { RET(PDO_PARSER_TEXT); }

(i.e. allow any symbol escaped with backslash). 
I've regenerated parser and it seems working now...

[2006-12-04 00:41 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC