php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43130 bind parameter cannot contain dashes
Submitted: 2007-10-29 18:07 UTC Modified: 2007-12-08 17:21 UTC
Votes:124
Avg. Score:3.3 ± 1.3
Reproduced:42 of 70 (60.0%)
Same Version:25 (59.5%)
Same OS:19 (45.2%)
From: joel at purerave dot com Assigned: iliaa (profile)
Status: Wont fix Package: PDO related
PHP Version: 5.2.4 OS: Windows XP Home
Private report: No CVE-ID: None
 [2007-10-29 18:07 UTC] joel at purerave dot com
Description:
------------
Parameters to bind in a prepared statement cannot contain dashes (-) in the name. It probably assumes that "-value" should be another variable.

If this cannot be fixed, then at least update the documentation to make it clear what names can and cannot be used. Using {} around the variable name would be nice too!

Reproduce code:
---------------
$db = new PDO("mysql:host=localhost;dbname=testing", 'xxxx', 'xxxx');
$stmt = $db->prepare("SELECT id FROM testing WHERE id=:id-value");
$stmt->bindParam(':id-value', $id);
$id = 1;
$stmt->execute();
var_dump($stmt->fetch());

Expected result:
----------------
array(2) { ["id"]=>  string(1) "1" [0]=>  string(1) "1" }

Actual result:
--------------
Warning: PDOStatement::execute() [function.PDOStatement-execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\htdocs\test.php on line 8
bool(false)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-29 22:37 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-10-30 09:51 UTC] uw@php.net
I disagree with the decision to allow "-" in parameter names. Parameter names should consist of [a-zA-Z] and nothing else. "-" is an operator in most databases. 

For BC compatibility I'm also fine with the old pattern [:][a-zA-Z0-9_]+ . Though I must say, that I'd prefer [:][a-zA-Z]+[a-zA-Z0-9_]+, don't allow ":0". ":0" looks a bit like "operator" + "number"...

However, the underlying problem here is that there is absolutely no specification for PDO. This makes PDO a guessing game and error prone.
 [2007-12-08 17:21 UTC] sfox@php.net
The fix for this bug that went into CVS on 29th Oct was reverted on 26th Nov following advice from various database experts.

See http://news.php.net/php.cvs/46848, http://news.php.net/php.cvs/47302 and anything else on that thread for details.
 [2018-10-25 16:28 UTC] neelaraghavendra1 at gmail dot com
i cant store php form data in mysql
 [2020-03-08 17:24 UTC] vinocuek51 at gmail dot com
The following pull request has been associated:

Patch Name: fix typo: mysqlx => mysqlx_x
On GitHub:  https://github.com/php/pecl-database-mysql_xdevapi/pull/8
Patch:      https://github.com/php/pecl-database-mysql_xdevapi/pull/8.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC