php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36760 PDO find Parameter but there's no parameter
Submitted: 2006-03-16 18:10 UTC Modified: 2006-03-18 18:20 UTC
From: n dot escuder at intra-links dot com Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: n dot escuder at intra-links dot com
New email:
PHP Version: OS:

 

 [2006-03-16 18:10 UTC] n dot escuder at intra-links dot com 
Description:
------------
PDO Found some parameter / value.


Reproduce code:
---------------
$pdo = new PDO('mysql:host=192.168.69.20;dbname=Released', 'Web', 'Master99');
$query = "update Test set value='";

$var = "enabled=boolean:true
description=string:\"Test\"
type=integer?
";

$query .= mysql_escape_string($var);

$query  .= "', where id='2'";

$statement = $pdo->prepare($query);
$statement->execute();


Expected result:
----------------
No warning / error and the update of the database with the real content of $var.



Actual result:
--------------
Actually no update if $var is = "enabled=boolean:true
description=string:\"Test\"
type=integer?
";

but if $var is = "enabled=boolean:true
description=string:\"Test\"
type=integer?";

in the database we found : 
enabled=boolean?
description=string:"Test"
type=integer?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-18 18:20 UTC] tony2001@php.net 
Using mysql_escape_string() with PDO is definitely not the recommended way. 
Use bound parameters instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 00:01:30 2024 UTC