|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33233 mysqli_bind_param/simple_xml interaction problem
Submitted: 2005-06-03 16:06 UTC Modified: 2005-06-13 21:59 UTC
From: blockcipher at yahoo dot com Assigned:
Status: Not a bug Package: SimpleXML related
PHP Version: 5.0.4 OS: Windows 2000
Private report: No CVE-ID: None
 [2005-06-03 16:06 UTC] blockcipher at yahoo dot com
It appears that I found an interesting interaction between the simple_xml library and the mysqli_bind_param function.  The values contained within an XML tag are returned as simple_xml object, not strings (which is what I inferred from the Zend tutorial.)  This had an adverse side-effect when combined with the mysqli_bind_param function.  Please note that this may affect other functions/libraries as well.

The steps are as follows:

1. Copy the value of an XML element into a variable.
2. Use the element in a prepared mysqli statement, binding it to the statement as a string.
3. Run the query.
4. Repeat steps 2 and 3, possibly with a different query.

After the bind or perhaps after I was done with the query, the actual data was changed from a simple_xml object to a very odd looking string.  This would crash the apache web server approximately 80-90% of the time when accessed.

Original variable data:
object(SimpleXMLElement)#3 (1) {
  string(4) "test"

Modified variable data:
string(64) "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3                        "

Reproduce code:
No code provided since it is being developed for the company I work for.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-03 20:14 UTC] blockcipher at yahoo dot com
Here's a quick test case based on the problem.  It demonstrates the changing of the data type from an object to a string, but not the crash.

$xmltext = "<?xml version='1.0'?><body><user>test</user></body>";
$xmlObj = simplexml_load_string($xmltext);
$tempArray['username'] = $xmlObj->user;
$dbh = new mysqli('localhost','username','password','mysql');
$stmt = $dbh->prepare('select host from user where user = ? LIMIT 1');
print "Before: ";
print "<br/><br/>Result: ";
$stmt->bind_param('s', $tempArray['username']);
print "$temp<br/><br/>After: ";
 [2005-06-03 21:23 UTC]
Please try using this CVS snapshot:
For Windows:

 [2005-06-07 21:11 UTC] blockcipher at yahoo dot com
There was no difference in behavior.
 [2005-06-12 14:37 UTC]
You need to cast the simplexml text to a string first.

 [2005-06-13 21:59 UTC] blockcipher at yahoo dot com
Well, the problem is that in the tutorial on the Zend web site, there was no indication that you had to cast to a string.  Also, I see no reason that the mysqli_param should change the data type of the data being fed to it.  If nothing else, please make the documentation more clear and perhaps even fix the tutorial so that it's clearer that you need to cast to a string.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 06:01:29 2024 UTC