php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39483 Problem with using placeholders and string constants in PDO MySQL
Submitted: 2006-11-12 16:23 UTC Modified: 2006-12-04 00:41 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: suhachov at gmail dot com Assigned:
Status: Closed Package: PDO related
PHP Version: 5.2.0 OS: Linux
Private report: No CVE-ID:
 [2006-11-12 16:23 UTC] suhachov at gmail dot com
Description:
------------
It seems that PDO sql parser is broken and tries to look for placeholders within string constants.

$dbh = new PDO('mysql:...','...','...');
$sth = $dbh->prepare('SELECT my_udf(\'\0:D\0\'),?');
$sth->execute(array(1));

This code triggers an error:
PDO::prepare(): SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters

And I can't replace string constant with placeholder, because MySQL doesn't allows to use placeholders with UDFs.

Reproduce code:
---------------
see above.
You even don't need any installed UDF.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-12 17:56 UTC] iliaa@php.net
which version of MySQL are you using?
 [2006-11-12 18:05 UTC] suhachov at gmail dot com
I've tried it with:
5.0.26
4.1.15
 [2006-11-12 18:11 UTC] suhachov at gmail dot com
Oh! I've forgot to note: when I compile pdo_mysql with 5.0 libraries, I get this error. When I compile it with 4.1 libraries, I get another error, but at the same place.
 [2006-11-14 18:43 UTC] suhachov at gmail dot com
I suggest you some patch to fix this problem:

pdo_sql_parser.re:
        (["] (ESCQQ|ANYNOEOF\[\\"])* ["])      { RET(PDO_PARSER_TEXT); }
        (['] (ESCQ|ANYNOEOF\[\\'])* ['])       { RET(PDO_PARSER_TEXT); }
replace with:
        (["] (ESCQQ|[\\]ANYNOEOF|ANYNOEOF\[\\"])* ["])      { RET(PDO_PARSER_TEXT); }
        (['] (ESCQ|[\\]ANYNOEOF|ANYNOEOF\[\\'])* ['])       { RET(PDO_PARSER_TEXT); }

(i.e. allow any symbol escaped with backslash). 
I've regenerated parser and it seems working now...
 [2006-12-04 00:41 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:52 2014 UTC