PHP :: Bug #33233 :: mysqli_bind_param/simple

Bug #33233	mysqli_bind_param/simple_xml interaction problem
Submitted:	2005-06-03 16:06 UTC	Modified:	2005-06-13 21:59 UTC
From:	blockcipher at yahoo dot com	Assigned:
Status:	Not a bug	Package:	SimpleXML related
PHP Version:	5.0.4	OS:	Windows 2000
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	blockcipher at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2005-06-03 16:06 UTC] blockcipher at yahoo dot com

Description:
------------
It appears that I found an interesting interaction between the simple_xml library and the mysqli_bind_param function.  The values contained within an XML tag are returned as simple_xml object, not strings (which is what I inferred from the Zend tutorial.)  This had an adverse side-effect when combined with the mysqli_bind_param function.  Please note that this may affect other functions/libraries as well.

The steps are as follows:

1. Copy the value of an XML element into a variable.
2. Use the element in a prepared mysqli statement, binding it to the statement as a string.
3. Run the query.
4. Repeat steps 2 and 3, possibly with a different query.

After the bind or perhaps after I was done with the query, the actual data was changed from a simple_xml object to a very odd looking string.  This would crash the apache web server approximately 80-90% of the time when accessed.

Original variable data:
["username"]=>
object(SimpleXMLElement)#3 (1) {
  [0]=>
  string(4) "test"
}

Modified variable data:
["username"]=>
string(64) "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3                        "

Reproduce code:
---------------
No code provided since it is being developed for the company I work for.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-06-03 20:14 UTC] blockcipher at yahoo dot com

Here's a quick test case based on the problem.  It demonstrates the changing of the data type from an object to a string, but not the crash.

<?php
$xmltext = "<?xml version='1.0'?><body><user>test</user></body>";
$xmlObj = simplexml_load_string($xmltext);
$tempArray['username'] = $xmlObj->user;
$dbh = new mysqli('localhost','username','password','mysql');
$stmt = $dbh->prepare('select host from user where user = ? LIMIT 1');
print "Before: ";
var_dump($tempArray);
print "<br/><br/>Result: ";
$stmt->bind_param('s', $tempArray['username']);
$stmt->execute();
$stmt->bind_result($temp);
$stmt->fetch();
$stmt->close;
print "$temp<br/><br/>After: ";
var_dump($tempArray);
$dbh->close;
?>

[2005-06-03 21:23 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

[2005-06-07 21:11 UTC] blockcipher at yahoo dot com

There was no difference in behavior.

[2005-06-12 14:37 UTC] sniper@php.net

You need to cast the simplexml text to a string first.

[2005-06-13 21:59 UTC] blockcipher at yahoo dot com

Well, the problem is that in the tutorial on the Zend web site, there was no indication that you had to cast to a string.  Also, I see no reason that the mysqli_param should change the data type of the data being fed to it.  If nothing else, please make the documentation more clear and perhaps even fix the tutorial so that it's clearer that you need to cast to a string.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 22:00:01 2025 UTC