php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44433 Text with null characters (\0) truncated when bound to prepared statement
Submitted: 2008-03-13 18:30 UTC Modified: 2009-05-03 01:00 UTC
Votes:10
Avg. Score:4.0 ± 0.9
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:2 (22.2%)
From: hans at velum dot net Assigned:
Status: No Feedback Package: PDO related
PHP Version: 5.2.5 OS: Gentoo Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hans at velum dot net
New email:
PHP Version: OS:

 

 [2008-03-13 18:30 UTC] hans at velum dot net 
Description:
------------
I'm using PostgreSQL (8.2.x) and am having a problem inserting serialized data containing null characters (\0) into the database.  I am using prepared statements and the bindValue() method to bind the serialized data as a PDO::PARAM_STR.

It's not obvious from the output below, but these serialized strings contain null values because of the private variables.

I can't seem to find an existing bug for this; however, it surprises me that no one has reported this before.


Reproduce code:
---------------
$pdo = new PDO('pgsql: dbname=testdb user=postgres');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

try {
        $pdo->exec('DROP TABLE testtbl');
} catch (PDOException $x) { /* ignore */ }

$pdo->exec('CREATE TABLE testtbl (id integer not null, txtcol text)');

class MyClass {
  private $var1;
  function __construct($val) { $this->var1 = $val; }
}

$serialized = serialize(array('foo' => new MyClass('bar'), 'baz' => new MyClass('bingo!')));

print "Serialized data: " . $serialized . PHP_EOL;

$stmt = $pdo->prepare('INSERT INTO testtbl (id, txtcol) VALUES (1, ?)');
$stmt->bindValue(1, $serialized, PDO::PARAM_STR);
$stmt->execute();

$stmt = $pdo->query('SELECT * FROM testtbl WHERE id = 1');
$row = $stmt->fetch();

print "From database: " . $row['txtcol'] . PHP_EOL;


Expected result:
----------------
Serialized data: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
From database: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}

Actual result:
--------------
Serialized data: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
From database: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-09 23:21 UTC] bmauser at gmail dot com 
I noticed the same problem on windows (vista) and same php version 5.2.5. The serialized string I tried to store in the database was:

O:8:"Psa_User":3:{s:9:" * groups";a:0:{}s:13:" * last_login";i:0;s:10:"test_value";i:391;}

and when I put output from serialize() in hex editor you can see some null characters:

00000000h: 4F 3A 38 3A 22 50 73 61 5F 55 73 65 72 22 3A 33 ; O:8:"Psa_User":3
00000010h: 3A 7B 73 3A 39 3A 22 00 2A 00 67 72 6F 75 70 73 ; :{s:9:".*.groups
00000020h: 22 3B 61 3A 30 3A 7B 7D 73 3A 31 33 3A 22 00 2A ; ";a:0:{}s:13:".*
00000030h: 00 6C 61 73 74 5F 6C 6F 67 69 6E 22 3B 69 3A 30 ; .last_login";i:0
00000040h: 3B 73 3A 31 30 3A 22 74 65 73 74 5F 76 61 6C 75 ; ;s:10:"test_valu
00000050h: 65 22 3B 69 3A 33 39 31 3B 7D                   ; e";i:391;}

The value in query that should update the database is truncated to the first null character in string. That is true for prepared statements with PDO->prepare() and also for only escaped values with PDO->quote().

When using the same code with mysql_pdo driver queries are not truncated and the null characters are stored in the database blob object.

I used base64_encode and decode functions to workaround this and stored base64 encoded string in the database.
 [2009-04-25 14:56 UTC] jani@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2009-05-03 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2012-10-12 12:57 UTC] metala at metala dot org 
I have experienced the same issue with PHP 5.4.4-7 using Debian wheezy/sid.

Actually It made me drop the idea to store objects in database and I used the conventional way to solve the problem. So it was frustrating....
 [2012-10-12 13:01 UTC] metala at metala dot org 
Forgot to add the postgres and pdo_pgsql versions.

pdo_pgsql

PDO Driver for PostgreSQL => enabled
PostgreSQL(libpq) Version => 9.1.5
Module version => 1.0.2
Revision =>  $Id$ 

Package: postgresql-9.1                  
State: installed
Automatically installed: no
Version: 9.1.5-2
 [2012-12-28 16:30 UTC] emeraldd dot chris at gmail dot com 
I can confirm that this still exists in php 5.3.19 (also running gentoo).  Has 
anyone found a solution?
 [2012-12-28 16:38 UTC] emeraldd dot chris at gmail dot com 
It looks like this might actually be a limitation in postgresql.  From what I 
can tell, the database does not support storing the null character.

http://stackoverflow.com/questions/1347646/postgres-error-on-insert-error-
invalid-byte-sequence-for-encoding-utf8-0x0

The relevant line is just above heading 4.1.2.3

http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-
STRINGS-UESCAPE
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 15 16:01:33 2025 UTC