PHP :: Bug #35001 :: PDO unexpected crash on update

Bug #35001	PDO unexpected crash on update
Submitted:	2005-10-27 16:26 UTC	Modified:	2005-11-04 01:00 UTC
From:	antleclercq at online dot fr	Assigned:
Status:	No Feedback	Package:	PDO related
PHP Version:	5CVS-2005-10-27 (snap)	OS:	Win2000
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 31 + 22 = ?
Subscribe to this entry?

[2005-10-27 16:26 UTC] antleclercq at online dot fr

Description:
------------
Hi,

I get this stange bug with the following code. I thought it was fixed when I read the bug report: bugs.php.net/?id=34861, but it seems only partially.

Create the folowing table in a "test" db under mysql :
CREATE TABLE `test` (
  `id` int(11) NOT NULL default '0',
  `test1` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `test` VALUES (1, 'test', '');

Using the code below, try posting the following string :
x"'"x:a

(magic_quotes_gpc is on)

I took the latest snapshot for Win2000.

Info : that doesn't crash when using $db->exec($sql).

Antoine

Reproduce code:
---------------
<?php
if (isset($_POST))
{
	$string = $_POST["string"];
	$db = new PDO("mysql:dbname=test;host=localhost", "##user##", "##password##");
	$sql = "UPDATE test SET test1 = '".$string."' WHERE id = '1'";
	$res = $db->prepare($sql);
	$res->execute();
}
?>
<form action="" method="POST">
	<input type="text" value="<?php if (isset($_POST)){echo $_POST["string"];}?>" name="string">
</form>

Expected result:
----------------
It should update the record.

Actual result:
--------------
Warning: PDOStatement::execute() [function.execute]: SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in C:\Program Files\Apache Group\Apache2\htdocs\test.php on line 16

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-27 17:10 UTC] tony2001@php.net

Add var_dump($sql); just before $res->prepare() and paste the output here.

[2005-11-04 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-03-25 16:37 UTC] andrespontt at gmail dot com

you should try bind variables like this:

<?php
if (isset($_POST))
{
	$id = '1';
        $string = $_POST["string"];

	$db = new PDO("mysql:dbname=test;host=localhost", "##user##",
"##password##");
	$sql = "UPDATE test SET test1 = :string WHERE id = :id;
	$res = $db->prepare($sql);
        
        $res->bindParam(':id', $id);
        $res->bindParam(':string', $string);
	$res->execute();
}
?>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 11:00:02 2025 UTC