php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48314 PDO_MySQL doesn't use prepared statements
Submitted: 2009-05-18 13:25 UTC Modified: 2011-01-13 11:51 UTC
From: vrana@php.net Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.2.9 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2009-05-18 13:25 UTC] vrana@php.net
Description:
------------
It seems that PDO_MySQL doesn't use prepared statements even with disabled PDO::MYSQL_ATTR_DIRECT_QUERY. If the prepared statements would by used then the binary data passed in the example wouldn't cause a parse error.

MySQL version: 5.1.26

Reproduce code:
---------------
<?php
$pdo = new PDO("mysql:host=localhost", "ODBC", "");
$pdo->setAttribute(PDO::MYSQL_ATTR_DIRECT_QUERY, false);
$pdo->exec("SET NAMES gbk");
$stmt = $pdo->prepare("SELECT ?");
$stmt->execute(array(chr(0xbf) . chr(0x27)));
print_r($stmt->errorInfo());
?>


Expected result:
----------------
Array
(
    [0] => 00000
)


Actual result:
--------------
Array
(
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?\''' at line 1
)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 13:43 UTC] johannes@php.net
Try also disabling PDO::ATTR_EMULATE_PREPARES. PHP 5.3 got some improvements/fixes with PDO_mysql (due to mysqlnd work) not sure if some parts can be backported.
 [2009-05-18 13:45 UTC] vrana@php.net
Same result.
 [2009-09-29 21:41 UTC] uw@php.net
Well, you should not use SET NAMES. It will not change the charset used for quoting. Currently there is no way to change the charset via an API call.

Try ext/mysqli... 
 [2009-11-04 19:01 UTC] uw@php.net
Occasionally I am tempted to bogus any PDO MYSQL character set bug report I see.

SET NAMES won't be recognized by the client and the wrong character set will be used for escaping. Adding a DSN option to specify the character set upon connect and setting it properly through the C API may be only five lines of code. 

But even if that would be implemented we would still have the PDO PS emulation as a potential pitfall. PDO will call the driver for escaping bound values and the driver will properly escape the values. But the PDO SQL parser itself won't care much about the current character set when searching for placeholders.
 [2010-09-06 11:14 UTC] uw@php.net
The sample script works fine with PHP 5.2.15-dev and MySQL 5.1.45-debug . What could happen in your case is that your server does not support preparing it and falls back to emulation.
 [2011-01-13 11:51 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-01-13 11:51 UTC] johannes@php.net
As Ulf said: There is a fallback in PDO to emulate in case the prepare failed.  The list of prepareable statements can be found on http://dev.mysql.com/doc/refman/5.1/en/c-api-prepared-statements.html for MySQL 5.1 and on http://dev.mysql.com/doc/refman/5.5/en/c-api-prepared-statements.html for the current 5.5.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 15 04:01:28 2025 UTC