PHP :: Bug #37838 :: pg_escape_string is not capable of escaping null characters

Bug #37838	pg_escape_string is not capable of escaping null characters
Submitted:	2006-06-18 16:21 UTC	Modified:	2006-06-19 13:28 UTC
From:	jona at oismail dot com	Assigned:
Status:	Not a bug	Package:	PostgreSQL related
PHP Version:	5.1.4	OS:	Windows 2000
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2006-06-18 16:21 UTC] jona at oismail dot com

Description:
------------
It appears that pg_escape_string is not capable of escaping null characters (such as those found in a serialised object with private/protected member variables).
The returned string is truncated when the null character (\0) is encountered and thus any data after the null character is lost.

It appears that PostGreSQL has a problem with null characters, as even using addslashes() for escaping the null character the query executes but data after the null character is never inserted into the database.

This behaviour is observed on Windows 2000 running PostGreSQL 8.0.3 and PHP 5.1.4 via IIS 5.0.

Reproduce code:
---------------
<?php
class Test
{
	private $privateVar;
	protected $protectedVar;
	
	public function __construct($private, $protected)
	{
		$this->privateVar = $private;
		$this->protectedVar = $protected;
	}
}
echo pg_escape_string(serialize(new Test("private variable", "protected variable") ) );
?>

Expected result:
----------------
properly escaped string that can be sent to the PostGreSQL backend

Actual result:
--------------
screen output: O:4:"Test":2:{s:16:"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-06-19 01:30 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

To encode binary characters such as \0 you need to use to 
pg_escape_bytea() function.

[2006-06-19 13:28 UTC] jona at oismail dot com

If the behaviour is intended I must apologize for causing a fuss but I didn't realise this was the case.
But perhaps the documentation should outlines this clearly?
Or maybe the function should throw an E_WARNING when encountering a null character rather than just silently truncating the string??

I expected to be able to use pg_escape_string when storing a serialized object with private/protected members in the database (such as when using objects for session data) and was rather baffled to realise that my serialised object was truncated after the first \0.

Thank you for your hard work with making PHP even better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 09:01:29 2024 UTC