|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43130 bind parameter cannot contain dashes
Submitted: 2007-10-29 18:07 UTC Modified: 2007-12-08 17:21 UTC
Avg. Score:3.3 ± 1.3
Reproduced:42 of 70 (60.0%)
Same Version:25 (59.5%)
Same OS:19 (45.2%)
From: joel at purerave dot com Assigned: iliaa (profile)
Status: Wont fix Package: PDO related
PHP Version: 5.2.4 OS: Windows XP Home
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: joel at purerave dot com
New email:
PHP Version: OS:


 [2007-10-29 18:07 UTC] joel at purerave dot com
Parameters to bind in a prepared statement cannot contain dashes (-) in the name. It probably assumes that "-value" should be another variable.

If this cannot be fixed, then at least update the documentation to make it clear what names can and cannot be used. Using {} around the variable name would be nice too!

Reproduce code:
$db = new PDO("mysql:host=localhost;dbname=testing", 'xxxx', 'xxxx');
$stmt = $db->prepare("SELECT id FROM testing WHERE id=:id-value");
$stmt->bindParam(':id-value', $id);
$id = 1;

Expected result:
array(2) { ["id"]=>  string(1) "1" [0]=>  string(1) "1" }

Actual result:
Warning: PDOStatement::execute() [function.PDOStatement-execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\htdocs\test.php on line 8


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-29 22:37 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2007-10-30 09:51 UTC]
I disagree with the decision to allow "-" in parameter names. Parameter names should consist of [a-zA-Z] and nothing else. "-" is an operator in most databases. 

For BC compatibility I'm also fine with the old pattern [:][a-zA-Z0-9_]+ . Though I must say, that I'd prefer [:][a-zA-Z]+[a-zA-Z0-9_]+, don't allow ":0". ":0" looks a bit like "operator" + "number"...

However, the underlying problem here is that there is absolutely no specification for PDO. This makes PDO a guessing game and error prone.
 [2007-12-08 17:21 UTC]
The fix for this bug that went into CVS on 29th Oct was reverted on 26th Nov following advice from various database experts.

See, and anything else on that thread for details.
 [2018-10-25 16:28 UTC] neelaraghavendra1 at gmail dot com
i cant store php form data in mysql
 [2020-03-08 17:24 UTC] vinocuek51 at gmail dot com
The following pull request has been associated:

Patch Name: fix typo: mysqlx => mysqlx_x
On GitHub:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 07:01:31 2024 UTC