php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36760 PDO find Parameter but there's no parameter
Submitted: 2006-03-16 18:10 UTC Modified: 2006-03-18 18:20 UTC
From: n dot escuder at intra-links dot com Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
 [2006-03-16 18:10 UTC] n dot escuder at intra-links dot com
Description:
------------
PDO Found some parameter / value.


Reproduce code:
---------------
$pdo = new PDO('mysql:host=192.168.69.20;dbname=Released', 'Web', 'Master99');
$query = "update Test set value='";

$var = "enabled=boolean:true
description=string:\"Test\"
type=integer?
";

$query .= mysql_escape_string($var);

$query  .= "', where id='2'";

$statement = $pdo->prepare($query);
$statement->execute();


Expected result:
----------------
No warning / error and the update of the database with the real content of $var.



Actual result:
--------------
Actually no update if $var is = "enabled=boolean:true
description=string:\"Test\"
type=integer?
";

but if $var is = "enabled=boolean:true
description=string:\"Test\"
type=integer?";

in the database we found : 
enabled=boolean?
description=string:"Test"
type=integer?

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-18 18:20 UTC] tony2001@php.net
Using mysql_escape_string() with PDO is definitely not the recommended way. 
Use bound parameters instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC