php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23554 PEAR::DB incorrectly parses prepared statement
Submitted: 2003-05-08 18:33 UTC Modified: 2003-05-12 09:29 UTC
From: jmikola at arsjerm dot net Assigned: lsmith (profile)
Status: Not a bug Package: PEAR related
PHP Version: 4.3.1 OS: Redhat Linux
Private report: No CVE-ID: None
 [2003-05-08 18:33 UTC] jmikola at arsjerm dot net
I'm using the PEAR::DB library distributed with the 4.3.1 PHP release. In the following bug, I noticed that PEAR is tossing a DB_ERROR_NEED_MORE_DATA during the parsing of the a prepared statement through a getOne() method call. Starting from the bottom, my method constructs a 2 element param array for the prepared statement (which expects two arguments), which I then pass to getOne(). I check up on the DB CVS sources for the error trigger point, and it's during token number verification prior to filling in the prepared statement: pear/DB/DB/common.php:executeEmulateQuery().

Currently, to get around this error, I've changed this query to not use a prepared statement, opting to hard-code:

getOne('SELECT level & \''.$level.'\' FROM auth WHERE id=\''.$id.'\'')

..in its place (which works as expected). I've not experienced such an error in any other use of the PEAR::DB library. My script is operating on a mySQL database, and the in the 'auth' table show in my example, level is a SMALLINT and id is an INT field. PHP is version 4.3.1 running on Apache 2-current, with mySQL support compiled in.

The PHP debug backtrace is as follows:

/usr/local/lib/php/PEAR.php:730 trigger_error('DB Error: insufficient data supplied','256')
/usr/local/lib/php/DB.php:604 pear_error('DB Error: insufficient data supplied','-20','4','256','SELECT ? & level FROM auth WHERE id=?')
/usr/local/lib/php/PEAR.php:508 db_error('-20','4','256','SELECT ? & level FROM auth        WHERE id=?')
usr/local/lib/php/DB/common.php:296 raiseerror('','-20','','','SELECT ? & level FROM auth WHERE id=?','DB_Error','1')
/usr/local/lib/php/DB/common.php:603 raiseerror('-20')
/usr/local/lib/php/DB/common.php:555 executeemulatequery('1','Array')
/usr/local/lib/php/DB/common.php:794 execute('1','Array')
/home/website/file.php:634 getone('SELECT ? & level FROM auth WHERE id=?','Array')
/home/website/file.php:89 _dbselectaccess('2','1')

A script to reproduce the error is as follows:

function _dbSelectAccess ($id, $level=0) {
  $params = array($level, $id);
  // $id and $level are numeric and need no escaping
  return $this->db->getOne('SELECT ? & level FROM auth WHERE id=?', $params);
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-05-12 09:29 UTC] lsmith@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

Hi,

I am setting this report as bogus as it seems like a user issue.

Plese have a look at the docs:
http://pear.php.net/manual/en/package.database.db.intro-execute.php

- for parameters that dont need escaping you need to use !
- the & is used for storing LOB data
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 06 11:01:27 2024 UTC