php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #36281 bindParam not working with LIKE '%:foo%'
Submitted: 2006-02-04 05:35 UTC Modified: 2006-02-08 16:29 UTC
From: vendor at visv dot net Assigned:
Status: Closed Package: Documentation problem
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2006-02-04 05:35 UTC] vendor at visv dot net 
Description:
------------
$q = "SELECT id, name FROM test WHERE name like '%:foo%';
$s = "carrot";

$dbh = new PDO('mysql:...', $user, $pass);

$sth = $dbh->prepare($q);
$sth->bindParam(':foo', $s);
$sth->execute()

while ($r = $sth->fetch()) {
    print_r($r);
}

the above does not work. Adding PDO::PARAM_STR, and the
length argument do not help matters.

simply embedding $s in place of :foo does work. It also
works fine if I leave off the "'%" and "%'" parts
and $s == the column value. It just seems bindParam()
cannot cope with the '% %' parts in the query.

I do not find similar in your bugtracking system, nor
in user supplied notes (currently there are none).

Thanks.


Reproduce code:
---------------
See description.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-04 12:48 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip
 [2006-02-04 18:21 UTC] vendor at visv dot net 
No change nor improvement with http://snaps.php.net/php5.1-latest.tar.gz on Feb 4. 12:20PM
 [2006-02-04 18:49 UTC] wez@php.net 
That is not a valid parameter definition.
 [2006-02-04 18:49 UTC] derick@php.net 
I doubt this is a bug... many DB APIs simply don't support bind variables like this. A bind variable is not just any substitution for a string.
 [2006-02-04 18:54 UTC] vendor at visv dot net 
Possibly. How can we determine that definitively? At the
least, I would like to add a user-note to the online
documentation, if someone cannot add it to the core docs
for pdo-mysql.

The db in question is mysql 4.1
 [2006-02-05 18:54 UTC] dbs@php.net 
The bug reporter has erred in assuming that parameters can be replaced _inside_ delimited strings within the SQL statement; he or she is treating parameter markers like plain old PHP variables. Of course, that would lead directly to possible SQL injection, which is exactly what bound parameters are meant to avoid.

(Also, the sample code provided is missing an ending double-quote on the first line.)

I'm sure the application will work as intended if rewritten as follows:

$q = "SELECT id, name FROM test WHERE name like :foo";
$s = "carrot";

$dbh = new PDO('mysql:...', $user, $pass);

$sth = $dbh->prepare($q);
/* prepend and append % around the user-supplied value to match anywhere in the NAME field */
$s = "%{$s}%";
$sth->bindParam(':foo', $s);
$sth->execute()

while ($r = $sth->fetch()) {
    print_r($r);
}
 [2006-02-05 23:28 UTC] vendor at visv dot net 
The code suggested by dbs@php.net in the previous comment 
works. I have used this as a basis for a user-contibuted-note
in the online documentation.

Thank you.
 [2006-02-06 08:28 UTC] derick@php.net 
It's still a good thing to document Dan...
 [2006-02-08 16:29 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 26 23:00:02 2025 UTC