php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48314 PDO_MySQL doesn't use prepared statements
Submitted: 2009-05-18 13:25 UTC Modified: 2011-01-13 11:51 UTC
From: vrana@php.net Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.2.9 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2009-05-18 13:25 UTC] vrana@php.net 
Description:
------------
It seems that PDO_MySQL doesn't use prepared statements even with disabled PDO::MYSQL_ATTR_DIRECT_QUERY. If the prepared statements would by used then the binary data passed in the example wouldn't cause a parse error.

MySQL version: 5.1.26

Reproduce code:
---------------
<?php
$pdo = new PDO("mysql:host=localhost", "ODBC", "");
$pdo->setAttribute(PDO::MYSQL_ATTR_DIRECT_QUERY, false);
$pdo->exec("SET NAMES gbk");
$stmt = $pdo->prepare("SELECT ?");
$stmt->execute(array(chr(0xbf) . chr(0x27)));
print_r($stmt->errorInfo());
?>


Expected result:
----------------
Array
(
    [0] => 00000
)


Actual result:
--------------
Array
(
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?\''' at line 1
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 13:43 UTC] johannes@php.net 
Try also disabling PDO::ATTR_EMULATE_PREPARES. PHP 5.3 got some improvements/fixes with PDO_mysql (due to mysqlnd work) not sure if some parts can be backported.
 [2009-05-18 13:45 UTC] vrana@php.net 
Same result.
 [2009-09-29 21:41 UTC] uw@php.net 
Well, you should not use SET NAMES. It will not change the charset used for quoting. Currently there is no way to change the charset via an API call.

Try ext/mysqli...
 [2009-11-04 19:01 UTC] uw@php.net 
Occasionally I am tempted to bogus any PDO MYSQL character set bug report I see.

SET NAMES won't be recognized by the client and the wrong character set will be used for escaping. Adding a DSN option to specify the character set upon connect and setting it properly through the C API may be only five lines of code. 

But even if that would be implemented we would still have the PDO PS emulation as a potential pitfall. PDO will call the driver for escaping bound values and the driver will properly escape the values. But the PDO SQL parser itself won't care much about the current character set when searching for placeholders.
 [2010-09-06 11:14 UTC] uw@php.net 
The sample script works fine with PHP 5.2.15-dev and MySQL 5.1.45-debug . What could happen in your case is that your server does not support preparing it and falls back to emulation.
 [2011-01-13 11:51 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-01-13 11:51 UTC] johannes@php.net 
As Ulf said: There is a fallback in PDO to emulate in case the prepare failed.  The list of prepareable statements can be found on http://dev.mysql.com/doc/refman/5.1/en/c-api-prepared-statements.html for MySQL 5.1 and on http://dev.mysql.com/doc/refman/5.5/en/c-api-prepared-statements.html for the current 5.5.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 06:00:01 2025 UTC