php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80355 Prepared statement broke with \ and -- characters
Submitted: 2020-11-12 16:17 UTC Modified: 2020-11-12 16:47 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: sartorua at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO PgSQL
PHP Version: 7.4.12 OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sartorua at gmail dot com
New email:
PHP Version: OS:

 

 [2020-11-12 16:17 UTC] sartorua at gmail dot com 
Description:
------------
SQL statement parser don't work with prepared parameters if SQL query string contains \ and -- characters (order matters).
PHP produces error:

Exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: :e'

Test script:
---------------
$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$s = $pdo->prepare("SELECT v FROM (VALUES ('\'),('--')) AS u (v) WHERE u.v = :e");
$s->execute([':e' => 'foo']);
$s->fetchAll();

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 16:35 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-12 16:35 UTC] cmb@php.net 
This is a duplicate of bug #79276.
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
-Status: Duplicate +Status: Open -Package: PDO related +Package: PDO PgSQL
 [2020-11-12 16:38 UTC] sartorua at gmail dot com 
New minimal test code:

$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$pdo->prepare("SELECT '\', '--' WHERE 'q' = :e")->execute([':e' => 'q']);
 [2020-11-12 16:47 UTC] cmb@php.net
-Status: Open +Status: Duplicate
 [2020-11-12 16:47 UTC] cmb@php.net 
Still a duplicate.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 05:00:01 2025 UTC