|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23554 PEAR::DB incorrectly parses prepared statement
Submitted: 2003-05-08 18:33 UTC Modified: 2003-05-12 09:29 UTC
From: jmikola at arsjerm dot net Assigned: lsmith (profile)
Status: Not a bug Package: PEAR related
PHP Version: 4.3.1 OS: Redhat Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: jmikola at arsjerm dot net
New email:
PHP Version: OS:


 [2003-05-08 18:33 UTC] jmikola at arsjerm dot net
I'm using the PEAR::DB library distributed with the 4.3.1 PHP release. In the following bug, I noticed that PEAR is tossing a DB_ERROR_NEED_MORE_DATA during the parsing of the a prepared statement through a getOne() method call. Starting from the bottom, my method constructs a 2 element param array for the prepared statement (which expects two arguments), which I then pass to getOne(). I check up on the DB CVS sources for the error trigger point, and it's during token number verification prior to filling in the prepared statement: pear/DB/DB/common.php:executeEmulateQuery().

Currently, to get around this error, I've changed this query to not use a prepared statement, opting to hard-code:

getOne('SELECT level & \''.$level.'\' FROM auth WHERE id=\''.$id.'\'') its place (which works as expected). I've not experienced such an error in any other use of the PEAR::DB library. My script is operating on a mySQL database, and the in the 'auth' table show in my example, level is a SMALLINT and id is an INT field. PHP is version 4.3.1 running on Apache 2-current, with mySQL support compiled in.

The PHP debug backtrace is as follows:

/usr/local/lib/php/PEAR.php:730 trigger_error('DB Error: insufficient data supplied','256')
/usr/local/lib/php/DB.php:604 pear_error('DB Error: insufficient data supplied','-20','4','256','SELECT ? & level FROM auth WHERE id=?')
/usr/local/lib/php/PEAR.php:508 db_error('-20','4','256','SELECT ? & level FROM auth        WHERE id=?')
usr/local/lib/php/DB/common.php:296 raiseerror('','-20','','','SELECT ? & level FROM auth WHERE id=?','DB_Error','1')
/usr/local/lib/php/DB/common.php:603 raiseerror('-20')
/usr/local/lib/php/DB/common.php:555 executeemulatequery('1','Array')
/usr/local/lib/php/DB/common.php:794 execute('1','Array')
/home/website/file.php:634 getone('SELECT ? & level FROM auth WHERE id=?','Array')
/home/website/file.php:89 _dbselectaccess('2','1')

A script to reproduce the error is as follows:

function _dbSelectAccess ($id, $level=0) {
  $params = array($level, $id);
  // $id and $level are numeric and need no escaping
  return $this->db->getOne('SELECT ? & level FROM auth WHERE id=?', $params);


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-05-12 09:29 UTC]
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.


I am setting this report as bogus as it seems like a user issue.

Plese have a look at the docs:

- for parameters that dont need escaping you need to use !
- the & is used for storing LOB data
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 15 04:01:28 2024 UTC