|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43130 bind parameter cannot contain dashes
Submitted: 2007-10-29 18:07 UTC Modified: 2007-12-08 17:21 UTC
Avg. Score:3.6 ± 1.3
Reproduced:14 of 23 (60.9%)
Same Version:8 (57.1%)
Same OS:6 (42.9%)
From: joel at purerave dot com Assigned: iliaa
Status: Wont fix Package: PDO related
PHP Version: 5.2.4 OS: Windows XP Home
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-10-29 18:07 UTC] joel at purerave dot com
Parameters to bind in a prepared statement cannot contain dashes (-) in the name. It probably assumes that "-value" should be another variable.

If this cannot be fixed, then at least update the documentation to make it clear what names can and cannot be used. Using {} around the variable name would be nice too!

Reproduce code:
$db = new PDO("mysql:host=localhost;dbname=testing", 'xxxx', 'xxxx');
$stmt = $db->prepare("SELECT id FROM testing WHERE id=:id-value");
$stmt->bindParam(':id-value', $id);
$id = 1;

Expected result:
array(2) { ["id"]=>  string(1) "1" [0]=>  string(1) "1" }

Actual result:
Warning: PDOStatement::execute() [function.PDOStatement-execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\htdocs\test.php on line 8


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-29 22:37 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2007-10-30 09:51 UTC]
I disagree with the decision to allow "-" in parameter names. Parameter names should consist of [a-zA-Z] and nothing else. "-" is an operator in most databases. 

For BC compatibility I'm also fine with the old pattern [:][a-zA-Z0-9_]+ . Though I must say, that I'd prefer [:][a-zA-Z]+[a-zA-Z0-9_]+, don't allow ":0". ":0" looks a bit like "operator" + "number"...

However, the underlying problem here is that there is absolutely no specification for PDO. This makes PDO a guessing game and error prone.
 [2007-12-08 17:21 UTC]
The fix for this bug that went into CVS on 29th Oct was reverted on 26th Nov following advice from various database experts.

See, and anything else on that thread for details.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 01:01:34 2015 UTC