php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44173 PDO->query() parameter parsing/checking needs an update
Submitted: 2008-02-19 15:52 UTC Modified: 2009-04-02 16:44 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: uwendel at mysql dot com Assigned: mbeccati (profile)
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-02-19 (CVS) OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: uwendel at mysql dot com
New email:
PHP Version: OS:

 

 [2008-02-19 15:52 UTC] uwendel at mysql dot com 
Description:
------------
Parameter parsing/checking by PDO->query() should be updated to todays standards. I would like to see it be more strict and follow ideas from new code, e.g. do not accept object/arrays for scalar (int) parameter.

[1] PDO->query() -> Warning: query(): could not obtain parameters for parsing

[2] assert(PDO::FETCH_CLASS != 1); PDO->query("SELECT ...", 1, 1, 1) -> four arguments make only sense for mode = PDO::FETCH_CLASS but 1 != PDO::FETCH_CLASS, I'd expect to see a warning

[3] $mode = new stdClass();
PDO->query('SELECT ...', $mode) -> Notice + PDOStatement returned ($mode cast to 1 I guess)

[4] PDO->query('SELECT ..., 2, 3, 4, 5) --> two many arguments in any case according to http://de.php.net/manual/en/function.PDO-query.php





Reproduce code:
---------------
[1] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("mysql:dbname=phptest;unix_socket=/tmp/mysql.sock", "root", "root"); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query());'

Warning: query(): could not obtain parameters for parsing in Command line code on line 1
bool(false)

[2] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); var_dump($pdo->query("SELECT id FROM test", 1, 1, 1));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[2] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); assert(PDO::FETCH_CLASS != 1); var_dump($pdo->query("SELECT id FROM test", 1, 1, 1));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[3] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); var_dump($pdo->query("SELECT id FROM test", $mode));'

Notice: Object of class stdClass could not be converted to int in Command line code on line 1
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[4] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); assert(PDO::FETCH_CLASS != 2); var_dump($pdo->query("SELECT id FROM test", 2, 3, 4, 5));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}


Expected result:
----------------
Just have a closer look at the function, play with the parameter and make it be a bit stricter and throw more hints for the user.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-19 16:18 UTC] uwendel at mysql dot com 
[5] PDO->query('SELECT ...', PDO::FETCH_INTO) -> no proper error message

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_INTO));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)
 [2008-02-19 16:21 UTC] uwendel at mysql dot com 
[6] PDO->query("SELECT", PDO::FETCH_COLUMN) -> error message could be better

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_COLUMN));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)
 [2008-02-19 16:25 UTC] uwendel at mysql dot com 
And a last one...


[7] PDO->query('SELECT....', PDO::FETCH_CLASS) -> proper error message

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_CLASS, "unknown"));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)


I have not checked other error modes of PDO. I do not know if PDO shall raise an exception for every warning it prints, if that's intended at all.
 [2009-03-22 17:59 UTC] matteo at beccati dot com 
Fix is available here:

http://www.beccati.com/misc/php/pdo_pgsql_bug44173_php_5.3.patch
 [2009-03-22 19:36 UTC] matteo at beccati dot com 
The following patch also removes the goto from the function, as suggested by Johannes:

http://www.beccati.com/misc/php/pdo_pgsql_bug44173_php_5.3_v2.patch
 [2009-04-02 16:44 UTC] mbeccati@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 08:01:28 2024 UTC