php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65583 PDO MySQL driver does not escape properly backslashes
Submitted: 2013-08-29 13:10 UTC Modified: 2013-08-29 14:06 UTC
From: kevin at les-tilleuls dot coop Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.5.3 OS: Mac OS X
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kevin at les-tilleuls dot coop
New email:
PHP Version: OS:

 

 [2013-08-29 13:10 UTC] kevin at les-tilleuls dot coop 
Description:
------------
PDO MySQL driver does not escape backslashes in string.

The MySQL doc indicates that backslashes must be doubled to be escaped 
http://dev.mysql.com/doc/refman/5.6/en/string-literals.html

The driver does not do that. See the script above.
Should this escaping be done by PDO or a higher layer like Doctrine DBAL?

Test script:
---------------
<?php

define('DSN', 'mysql:dbname=testdb;host=127.0.0.1');
define('USER', 'root');
define('PASSWORD', '');

/* DATABASE STRUCTURE

CREATE TABLE `test` (
  `test` varchar(255) NOT NULL,
  PRIMARY KEY (`test`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

*/

$dbh = new PDO(DSN, USER, PASSWORD);

$data = '\\' . uniqid();

$stmt = $dbh->prepare('INSERT INTO test(test) VALUES(:data)');
$stmt->execute(array('data' => $data));


$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' => $data));

var_dump($stmt->fetchColumn());

$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' =>  str_replace('\\', '\\\\', $data)));

var_dump($stmt->fetchColumn());


Expected result:
----------------
string(14) "\521f3f450f597"
bool(false)

Actual result:
--------------
bool(false)
string(14) "\521f3f450f597"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-29 14:06 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2013-08-29 14:06 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your issue is that for LIKE the \ is a special character. If you use 

$stmt = $dbh->prepare('SELECT test FROM test WHERE test = :data');

all works. See also http://dev.mysql.com/doc/refman/5.6/en/string-comparison-functions.html#operator_like
 [2013-08-29 19:51 UTC] kevin at les-tilleuls dot coop 
Thanks for the reply.
Sorry for the inconvenience.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Apr 27 15:01:30 2025 UTC