|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37838 pg_escape_string is not capable of escaping null characters
Submitted: 2006-06-18 16:21 UTC Modified: 2006-06-19 13:28 UTC
From: jona at oismail dot com Assigned:
Status: Not a bug Package: PostgreSQL related
PHP Version: 5.1.4 OS: Windows 2000
Private report: No CVE-ID: None
 [2006-06-18 16:21 UTC] jona at oismail dot com
It appears that pg_escape_string is not capable of escaping null characters (such as those found in a serialised object with private/protected member variables).
The returned string is truncated when the null character (\0) is encountered and thus any data after the null character is lost.

It appears that PostGreSQL has a problem with null characters, as even using addslashes() for escaping the null character the query executes but data after the null character is never inserted into the database.

This behaviour is observed on Windows 2000 running PostGreSQL 8.0.3 and PHP 5.1.4 via IIS 5.0.

Reproduce code:
class Test
	private $privateVar;
	protected $protectedVar;
	public function __construct($private, $protected)
		$this->privateVar = $private;
		$this->protectedVar = $protected;
echo pg_escape_string(serialize(new Test("private variable", "protected variable") ) );

Expected result:
properly escaped string that can be sent to the PostGreSQL backend

Actual result:
screen output: O:4:"Test":2:{s:16:"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-19 01:30 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

To encode binary characters such as \0 you need to use to 
pg_escape_bytea() function.
 [2006-06-19 13:28 UTC] jona at oismail dot com
If the behaviour is intended I must apologize for causing a fuss but I didn't realise this was the case.
But perhaps the documentation should outlines this clearly?
Or maybe the function should throw an E_WARNING when encountering a null character rather than just silently truncating the string??

I expected to be able to use pg_escape_string when storing a serialized object with private/protected members in the database (such as when using objects for session data) and was rather baffled to realise that my serialised object was truncated after the first \0.

Thank you for your hard work with making PHP even better.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 23:01:31 2024 UTC