php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44173 PDO->query() parameter parsing/checking needs an update
Submitted: 2008-02-19 15:52 UTC Modified: 2009-04-02 16:44 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: uwendel at mysql dot com Assigned: mbeccati
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-02-19 (CVS) OS: Irrelevant
Private report: No CVE-ID:
 [2008-02-19 15:52 UTC] uwendel at mysql dot com
Description:
------------
Parameter parsing/checking by PDO->query() should be updated to todays standards. I would like to see it be more strict and follow ideas from new code, e.g. do not accept object/arrays for scalar (int) parameter.

[1] PDO->query() -> Warning: query(): could not obtain parameters for parsing

[2] assert(PDO::FETCH_CLASS != 1); PDO->query("SELECT ...", 1, 1, 1) -> four arguments make only sense for mode = PDO::FETCH_CLASS but 1 != PDO::FETCH_CLASS, I'd expect to see a warning

[3] $mode = new stdClass();
PDO->query('SELECT ...', $mode) -> Notice + PDOStatement returned ($mode cast to 1 I guess)

[4] PDO->query('SELECT ..., 2, 3, 4, 5) --> two many arguments in any case according to http://de.php.net/manual/en/function.PDO-query.php





Reproduce code:
---------------
[1] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("mysql:dbname=phptest;unix_socket=/tmp/mysql.sock", "root", "root"); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query());'

Warning: query(): could not obtain parameters for parsing in Command line code on line 1
bool(false)

[2] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); var_dump($pdo->query("SELECT id FROM test", 1, 1, 1));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[2] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); assert(PDO::FETCH_CLASS != 1); var_dump($pdo->query("SELECT id FROM test", 1, 1, 1));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[3] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); var_dump($pdo->query("SELECT id FROM test", $mode));'

Notice: Object of class stdClass could not be converted to int in Command line code on line 1
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}

[4] nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); $mode = new stdClass(); assert(PDO::FETCH_CLASS != 2); var_dump($pdo->query("SELECT id FROM test", 2, 3, 4, 5));'
object(PDOStatement)#3 (1) {
  ["queryString"]=>
  string(19) "SELECT id FROM test"
}


Expected result:
----------------
Just have a closer look at the function, play with the parameter and make it be a bit stricter and throw more hints for the user.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-19 16:18 UTC] uwendel at mysql dot com
[5] PDO->query('SELECT ...', PDO::FETCH_INTO) -> no proper error message

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_INTO));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)
 [2008-02-19 16:21 UTC] uwendel at mysql dot com
[6] PDO->query("SELECT", PDO::FETCH_COLUMN) -> error message could be better

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_COLUMN));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)
 [2008-02-19 16:25 UTC] uwendel at mysql dot com
And a last one...


[7] PDO->query('SELECT....', PDO::FETCH_CLASS) -> proper error message

nixnutz@ulflinux:~/php53> sapi/cli/php -r 'error_reporting(E_ALL); $pdo=new PDO("sqlite:/tmp/foo.db"); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING); @$pdo->exec("DROP TABLE test"); $pdo->exec("CREATE TABLE test(id INT)"); $pdo->exec("INSERT INTO test(id) VALUES (1)"); var_dump($pdo->query("SELECT id FROM test", PDO::FETCH_CLASS, "unknown"));'

Warning: PDO::query(): SQLSTATE[]: <<Unknown error>> in Command line code on line 1
bool(false)


I have not checked other error modes of PDO. I do not know if PDO shall raise an exception for every warning it prints, if that's intended at all.
 [2009-03-22 17:59 UTC] matteo at beccati dot com
Fix is available here:

http://www.beccati.com/misc/php/pdo_pgsql_bug44173_php_5.3.patch
 [2009-03-22 19:36 UTC] matteo at beccati dot com
The following patch also removes the goto from the function, as suggested by Johannes:

http://www.beccati.com/misc/php/pdo_pgsql_bug44173_php_5.3_v2.patch
 [2009-04-02 16:44 UTC] mbeccati@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 22:02:16 2014 UTC