php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35001 PDO unexpected crash on update
Submitted: 2005-10-27 16:26 UTC Modified: 2005-11-04 01:00 UTC
From: antleclercq at online dot fr Assigned:
Status: No Feedback Package: PDO related
PHP Version: 5CVS-2005-10-27 (snap) OS: Win2000
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-10-27 16:26 UTC] antleclercq at online dot fr 
Description:
------------
Hi,

I get this stange bug with the following code. I thought it was fixed when I read the bug report: bugs.php.net/?id=34861, but it seems only partially.

Create the folowing table in a "test" db under mysql :
CREATE TABLE `test` (
  `id` int(11) NOT NULL default '0',
  `test1` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `test` VALUES (1, 'test', '');

Using the code below, try posting the following string :
x"'"x:a

(magic_quotes_gpc is on)

I took the latest snapshot for Win2000.

Info : that doesn't crash when using $db->exec($sql).

Antoine

Reproduce code:
---------------
<?php
if (isset($_POST))
{
	$string = $_POST["string"];
	$db = new PDO("mysql:dbname=test;host=localhost", "##user##", "##password##");
	$sql = "UPDATE test SET test1 = '".$string."' WHERE id = '1'";
	$res = $db->prepare($sql);
	$res->execute();
}
?>
<form action="" method="POST">
	<input type="text" value="<?php if (isset($_POST)){echo $_POST["string"];}?>" name="string">
</form>

Expected result:
----------------
It should update the record.

Actual result:
--------------
Warning: PDOStatement::execute() [function.execute]: SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in C:\Program Files\Apache Group\Apache2\htdocs\test.php on line 16

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-27 17:10 UTC] tony2001@php.net 
Add var_dump($sql); just before $res->prepare() and paste the output here.
 [2005-11-04 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-03-25 16:37 UTC] andrespontt at gmail dot com 
you should try bind variables like this:

<?php
if (isset($_POST))
{
	$id = '1';
        $string = $_POST["string"];

	$db = new PDO("mysql:dbname=test;host=localhost", "##user##",
"##password##");
	$sql = "UPDATE test SET test1 = :string WHERE id = :id;
	$res = $db->prepare($sql);
        
        $res->bindParam(':id', $id);
        $res->bindParam(':string', $string);
	$res->execute();
}
?>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 11 01:01:31 2024 UTC