php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35001 PDO unexpected crash on update
Submitted: 2005-10-27 16:26 UTC Modified: 2005-11-04 01:00 UTC
From: antleclercq at online dot fr Assigned:
Status: No Feedback Package: PDO related
PHP Version: 5CVS-2005-10-27 (snap) OS: Win2000
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: antleclercq at online dot fr
New email:
PHP Version: OS:

 

 [2005-10-27 16:26 UTC] antleclercq at online dot fr 
Description:
------------
Hi,

I get this stange bug with the following code. I thought it was fixed when I read the bug report: bugs.php.net/?id=34861, but it seems only partially.

Create the folowing table in a "test" db under mysql :
CREATE TABLE `test` (
  `id` int(11) NOT NULL default '0',
  `test1` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `test` VALUES (1, 'test', '');

Using the code below, try posting the following string :
x"'"x:a

(magic_quotes_gpc is on)

I took the latest snapshot for Win2000.

Info : that doesn't crash when using $db->exec($sql).

Antoine

Reproduce code:
---------------
<?php
if (isset($_POST))
{
	$string = $_POST["string"];
	$db = new PDO("mysql:dbname=test;host=localhost", "##user##", "##password##");
	$sql = "UPDATE test SET test1 = '".$string."' WHERE id = '1'";
	$res = $db->prepare($sql);
	$res->execute();
}
?>
<form action="" method="POST">
	<input type="text" value="<?php if (isset($_POST)){echo $_POST["string"];}?>" name="string">
</form>

Expected result:
----------------
It should update the record.

Actual result:
--------------
Warning: PDOStatement::execute() [function.execute]: SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in C:\Program Files\Apache Group\Apache2\htdocs\test.php on line 16

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-27 17:10 UTC] tony2001@php.net 
Add var_dump($sql); just before $res->prepare() and paste the output here.
 [2005-11-04 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-03-25 16:37 UTC] andrespontt at gmail dot com 
you should try bind variables like this:

<?php
if (isset($_POST))
{
	$id = '1';
        $string = $_POST["string"];

	$db = new PDO("mysql:dbname=test;host=localhost", "##user##",
"##password##");
	$sql = "UPDATE test SET test1 = :string WHERE id = :id;
	$res = $db->prepare($sql);
        
        $res->bindParam(':id', $id);
        $res->bindParam(':string', $string);
	$res->execute();
}
?>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 21:01:27 2025 UTC