php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64953 Postgres prepared statement positional parameter casting
Submitted: 2013-05-31 09:46 UTC Modified: 2013-08-20 13:07 UTC
From: goetas at lignano dot it Assigned:
Status: Closed Package: PDO related
PHP Version: 5.3.25 OS: ubuntu 10.04
Private report: No CVE-ID: None
 [2013-05-31 09:46 UTC] goetas at lignano dot it
Description:
------------
Using a prepared statement with positional parameters will produce unexpected behaviour when casting these parameters.



Test script:
---------------
// pdo
$pdo = new \PDO("pgsql:host=localhost;dbname=db", "user", "pwd");
$pdo->setAttribute (\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);


$st = $pdo->prepare('SELECT ?::char as i');
$st->bindValue(1, '1');
$st->execute();
var_dump($st->fetch()); // return false


$st = $pdo->prepare('SELECT (?)::char as i');
$st->bindValue(1, '1');
$st->execute();
var_dump($st->fetch());  // return array(1) { ["i"]=> string(1) "1" }


// old pg extension
$dbconn = pg_connect("host=localhost dbname=superdpi user=postgres  password=df54tb70");
$result = pg_prepare($dbconn, "my_query", 'SELECT $1::char as i');
$result = pg_execute($dbconn, "my_query", array("1"));
var_dump(pg_fetch_assoc ( $result)); // return array(1) { ["i"]=> string(1) "1" }


Expected result:
----------------
array(2) {
  ["i"]=>
  string(1) "1"
  [0]=>
  string(1) "1"
}
array(2) {
  ["i"]=>
  string(1) "1"
  [0]=>
  string(1) "1"
}
array(1) {
  ["i"]=>
  string(1) "1"
}

Actual result:
--------------
bool(false)
array(2) {
  ["i"]=>
  string(1) "1"
  [0]=>
  string(1) "1"
}
array(1) {
  ["i"]=>
  string(1) "1"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-20 13:07 UTC] mike@php.net
-Status: Open +Status: Analyzed
 [2013-08-20 13:07 UTC] mike@php.net
The problem rather is, that PDO contains an SQL parser (or, erm, such) which 
implements named parameters like ":argname". The result is then discovered by 
people not only using MySQL: havoc.
 [2013-08-20 17:26 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27c803aaed259f76a66db1278eea05f30a8ec956
Log: Fix bug #64953 (Postgres prepared statement positional parameter casting)
 [2013-08-20 17:26 UTC] mike@php.net
-Status: Analyzed +Status: Closed
 [2014-10-07 23:17 UTC] stas@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=27c803aaed259f76a66db1278eea05f30a8ec956
Log: Fix bug #64953 (Postgres prepared statement positional parameter casting)
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=27c803aaed259f76a66db1278eea05f30a8ec956
Log: Fix bug #64953 (Postgres prepared statement positional parameter casting)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC