php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33233 mysqli_bind_param/simple_xml interaction problem
Submitted: 2005-06-03 16:06 UTC Modified: 2005-06-13 21:59 UTC
From: blockcipher at yahoo dot com Assigned:
Status: Not a bug Package: SimpleXML related
PHP Version: 5.0.4 OS: Windows 2000
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: blockcipher at yahoo dot com
New email:
PHP Version: OS:

 

 [2005-06-03 16:06 UTC] blockcipher at yahoo dot com 
Description:
------------
It appears that I found an interesting interaction between the simple_xml library and the mysqli_bind_param function.  The values contained within an XML tag are returned as simple_xml object, not strings (which is what I inferred from the Zend tutorial.)  This had an adverse side-effect when combined with the mysqli_bind_param function.  Please note that this may affect other functions/libraries as well.

The steps are as follows:

1. Copy the value of an XML element into a variable.
2. Use the element in a prepared mysqli statement, binding it to the statement as a string.
3. Run the query.
4. Repeat steps 2 and 3, possibly with a different query.

After the bind or perhaps after I was done with the query, the actual data was changed from a simple_xml object to a very odd looking string.  This would crash the apache web server approximately 80-90% of the time when accessed.

Original variable data:
["username"]=>
object(SimpleXMLElement)#3 (1) {
  [0]=>
  string(4) "test"
}

Modified variable data:
["username"]=>
string(64) "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3                        "

Reproduce code:
---------------
No code provided since it is being developed for the company I work for.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-03 20:14 UTC] blockcipher at yahoo dot com 
Here's a quick test case based on the problem.  It demonstrates the changing of the data type from an object to a string, but not the crash.

<?php
$xmltext = "<?xml version='1.0'?><body><user>test</user></body>";
$xmlObj = simplexml_load_string($xmltext);
$tempArray['username'] = $xmlObj->user;
$dbh = new mysqli('localhost','username','password','mysql');
$stmt = $dbh->prepare('select host from user where user = ? LIMIT 1');
print "Before: ";
var_dump($tempArray);
print "<br/><br/>Result: ";
$stmt->bind_param('s', $tempArray['username']);
$stmt->execute();
$stmt->bind_result($temp);
$stmt->fetch();
$stmt->close;
print "$temp<br/><br/>After: ";
var_dump($tempArray);
$dbh->close;
?>
 [2005-06-03 21:23 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2005-06-07 21:11 UTC] blockcipher at yahoo dot com 
There was no difference in behavior.
 [2005-06-12 14:37 UTC] sniper@php.net 
You need to cast the simplexml text to a string first.
 [2005-06-13 21:59 UTC] blockcipher at yahoo dot com 
Well, the problem is that in the tutorial on the Zend web site, there was no indication that you had to cast to a string.  Also, I see no reason that the mysqli_param should change the data type of the data being fed to it.  If nothing else, please make the documentation more clear and perhaps even fix the tutorial so that it's clearer that you need to cast to a string.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Tue Sep 26 03:01:25 2023 UTC