PHP :: Bug #39143 :: prepared statement with input parameters and db function fails

Bug #39143	prepared statement with input parameters and db function fails
Submitted:	2006-10-13 02:43 UTC	Modified:	2006-10-13 06:41 UTC
From:	aspen dot olmsted at alliance dot biz	Assigned:
Status:	Not a bug	Package:	PDO related
PHP Version:	5CVS-2006-10-13 (snap)	OS:	Windows XP SP2
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aspen dot olmsted at alliance dot biz
New email:
PHP Version:		OS:

New Comment:

[2006-10-13 02:43 UTC] aspen dot olmsted at alliance dot biz

Description:
------------
If you try to insert a record using MSSQL, ODBC, PDO and windows with a replacement parameter that is a db function it will fail.  The same insert can be written without replacement parameters using both exec and prepare.

Reproduce code:
---------------
SQL Table:
CREATE TABLE [pdotest] (
	[Code] [int] NOT NULL ,
	[Description] [varchar] (100) 
) ON [PRIMARY]
GO

SQL Function:
CREATE FUNCTION dbo.pdo_GetCode (@inCode int)  
RETURNS int AS  
BEGIN
return @incode
END

$a[Code] = 'dbo.pdo_getcode(26050)';
$a[Description] = 'test';

$stmt = $dbh->prepare("insert into pdotest(Code,Description) VALUES (:Code,:Description)");
$x = $stmt->execute($a);
$stmt = null;
    
$stmt = $dbh->prepare("insert into pdotest(Code,Description) VALUES (dbo.pdo_getcode(26050),'test')");
$x = $stmt->execute();
$stmt = null;

$x = $dbh->exec("insert into pdotest(Code,Description) VALUES (dbo.pdo_getcode(26050),'test')");

Expected result:
----------------
With the above code all three methods should insert a record

Actual result:
--------------
The first method fails with the replacement parameters and the other two pass.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-13 06:41 UTC] thetaphi@php.net

This cannot work.
A replacement parameter is not to replace parts of the SQL code, it is for setting data values before execution. Databases that support it will compile the code before execution which then will generate a speedup when the same statement is called more often with different data values.
So: A replacement parameter must resove to data not a sql fragment.
In your example the following SQL is executed after replacement:

insert into pdotest(Code,Description) VALUES
('dbo.pdo_getcode(26050)','test')

This will fail. A correct statement would be with a data parameter, e.g.:

$a[Code] = 26050;
$a[Description] = 'test';

$stmt = $dbh->prepare("insert into pdotest(Code,Description) VALUES
(dbo.pdo_getcode(:Code),:Description)");
$x = $stmt->execute($a);
$stmt = null;

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed May 15 07:01:32 2024 UTC