php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43130 bind parameter cannot contain dashes
Submitted: 2007-10-29 18:07 UTC Modified: 2007-12-08 17:21 UTC
Votes:21
Avg. Score:4.2 ± 0.9
Reproduced:8 of 13 (61.5%)
Same Version:5 (62.5%)
Same OS:3 (37.5%)
From: joel at purerave dot com Assigned: iliaa
Status: Wont fix Package: PDO related
PHP Version: 5.2.4 OS: Windows XP Home
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-10-29 18:07 UTC] joel at purerave dot com
Description:
------------
Parameters to bind in a prepared statement cannot contain dashes (-) in the name. It probably assumes that "-value" should be another variable.

If this cannot be fixed, then at least update the documentation to make it clear what names can and cannot be used. Using {} around the variable name would be nice too!

Reproduce code:
---------------
$db = new PDO("mysql:host=localhost;dbname=testing", 'xxxx', 'xxxx');
$stmt = $db->prepare("SELECT id FROM testing WHERE id=:id-value");
$stmt->bindParam(':id-value', $id);
$id = 1;
$stmt->execute();
var_dump($stmt->fetch());

Expected result:
----------------
array(2) { ["id"]=>  string(1) "1" [0]=>  string(1) "1" }

Actual result:
--------------
Warning: PDOStatement::execute() [function.PDOStatement-execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\htdocs\test.php on line 8
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-29 22:37 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-10-30 09:51 UTC] uw@php.net
I disagree with the decision to allow "-" in parameter names. Parameter names should consist of [a-zA-Z] and nothing else. "-" is an operator in most databases. 

For BC compatibility I'm also fine with the old pattern [:][a-zA-Z0-9_]+ . Though I must say, that I'd prefer [:][a-zA-Z]+[a-zA-Z0-9_]+, don't allow ":0". ":0" looks a bit like "operator" + "number"...

However, the underlying problem here is that there is absolutely no specification for PDO. This makes PDO a guessing game and error prone.
 [2007-12-08 17:21 UTC] sfox@php.net
The fix for this bug that went into CVS on 29th Oct was reverted on 26th Nov following advice from various database experts.

See http://news.php.net/php.cvs/46848, http://news.php.net/php.cvs/47302 and anything else on that thread for details.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC