PHP :: Bug #79131 :: PDO does not throw an exception when parameter values are missing

Bug #79131

PDO does not throw an exception when parameter values are missing

Submitted:

2020-01-16 15:33 UTC

Modified:

2020-12-10 14:29 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

love at sickpeople dot se

Assigned:

Status:

Closed

Package:

PDO MySQL

PHP Version:

7.4.1

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2020-01-16 15:33 UTC] love at sickpeople dot se

Description:
------------
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
---------------
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ];

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */
  ];

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
      }
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";
      }

  }


Expected result:
----------------
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
--------------
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(false)
array(0) {
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-01-17 12:41 UTC] cmb@php.net

Related To: Bug #79132

[2020-01-17 12:46 UTC] cmb@php.net

-Status: Open +Status: Verified

[2020-01-17 12:46 UTC] cmb@php.net

This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <https://www.php.net/manual/en/pdostatement.execute.php#refsect1-pdostatement.execute-changelog>

[2020-01-22 20:34 UTC] adambaratz@php.net

-Package: PDO related +Package: PDO MySQL

[2020-01-22 20:34 UTC] adambaratz@php.net

I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
https://github.com/adambaratz/php-src/commit/e905da74accf1291000d4ee4f8f1c071fb6f3dee

[2020-12-10 14:29 UTC] nikic@php.net

The problem here is that PDO does not propagate errors from EVT_ALLOC (which PDO MySQL correctly sets).

Fixing that would be one line, but then we run into the problem that PDO PgSQL already works around this by raising an impl error in EVT_ALLOC...

[2020-12-10 14:53 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b51a215ac08fa72aa6ea44755f7134710f9004
Log: Fixed bug #79131

[2020-12-10 14:53 UTC] nikic@php.net

-Status: Verified +Status: Closed

[2020-12-11 15:26 UTC] nikic@php.net

Related To: Bug #77490

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 03:00:02 2025 UTC