php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37838 pg_escape_string is not capable of escaping null characters
Submitted: 2006-06-18 16:21 UTC Modified: 2006-06-19 13:28 UTC
From: jona at oismail dot com Assigned:
Status: Not a bug Package: PostgreSQL related
PHP Version: 5.1.4 OS: Windows 2000
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jona at oismail dot com
New email:
PHP Version: OS:

 

 [2006-06-18 16:21 UTC] jona at oismail dot com
Description:
------------
It appears that pg_escape_string is not capable of escaping null characters (such as those found in a serialised object with private/protected member variables).
The returned string is truncated when the null character (\0) is encountered and thus any data after the null character is lost.

It appears that PostGreSQL has a problem with null characters, as even using addslashes() for escaping the null character the query executes but data after the null character is never inserted into the database.

This behaviour is observed on Windows 2000 running PostGreSQL 8.0.3 and PHP 5.1.4 via IIS 5.0.

Reproduce code:
---------------
<?php
class Test
{
	private $privateVar;
	protected $protectedVar;
	
	public function __construct($private, $protected)
	{
		$this->privateVar = $private;
		$this->protectedVar = $protected;
	}
}
echo pg_escape_string(serialize(new Test("private variable", "protected variable") ) );
?>

Expected result:
----------------
properly escaped string that can be sent to the PostGreSQL backend

Actual result:
--------------
screen output: O:4:"Test":2:{s:16:"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-19 01:30 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

To encode binary characters such as \0 you need to use to 
pg_escape_bytea() function.
 [2006-06-19 13:28 UTC] jona at oismail dot com
If the behaviour is intended I must apologize for causing a fuss but I didn't realise this was the case.
But perhaps the documentation should outlines this clearly?
Or maybe the function should throw an E_WARNING when encountering a null character rather than just silently truncating the string??

I expected to be able to use pg_escape_string when storing a serialized object with private/protected members in the database (such as when using objects for session data) and was rather baffled to realise that my serialised object was truncated after the first \0.

Thank you for your hard work with making PHP even better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 14 12:01:29 2024 UTC