php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44433 Text with null characters (\0) truncated when bound to prepared statement
Submitted: 2008-03-13 18:30 UTC Modified: 2009-05-03 01:00 UTC
Votes:10
Avg. Score:4.0 ± 0.9
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:2 (22.2%)
From: hans at velum dot net Assigned:
Status: No Feedback Package: PDO related
PHP Version: 5.2.5 OS: Gentoo Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hans at velum dot net
New email:
PHP Version: OS:

 

 [2008-03-13 18:30 UTC] hans at velum dot net 
Description:
------------
I'm using PostgreSQL (8.2.x) and am having a problem inserting serialized data containing null characters (\0) into the database.  I am using prepared statements and the bindValue() method to bind the serialized data as a PDO::PARAM_STR.

It's not obvious from the output below, but these serialized strings contain null values because of the private variables.

I can't seem to find an existing bug for this; however, it surprises me that no one has reported this before.


Reproduce code:
---------------
$pdo = new PDO('pgsql: dbname=testdb user=postgres');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

try {
        $pdo->exec('DROP TABLE testtbl');
} catch (PDOException $x) { /* ignore */ }

$pdo->exec('CREATE TABLE testtbl (id integer not null, txtcol text)');

class MyClass {
  private $var1;
  function __construct($val) { $this->var1 = $val; }
}

$serialized = serialize(array('foo' => new MyClass('bar'), 'baz' => new MyClass('bingo!')));

print "Serialized data: " . $serialized . PHP_EOL;

$stmt = $pdo->prepare('INSERT INTO testtbl (id, txtcol) VALUES (1, ?)');
$stmt->bindValue(1, $serialized, PDO::PARAM_STR);
$stmt->execute();

$stmt = $pdo->query('SELECT * FROM testtbl WHERE id = 1');
$row = $stmt->fetch();

print "From database: " . $row['txtcol'] . PHP_EOL;


Expected result:
----------------
Serialized data: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
From database: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}

Actual result:
--------------
Serialized data: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
From database: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-09 23:21 UTC] bmauser at gmail dot com 
I noticed the same problem on windows (vista) and same php version 5.2.5. The serialized string I tried to store in the database was:

O:8:"Psa_User":3:{s:9:" * groups";a:0:{}s:13:" * last_login";i:0;s:10:"test_value";i:391;}

and when I put output from serialize() in hex editor you can see some null characters:

00000000h: 4F 3A 38 3A 22 50 73 61 5F 55 73 65 72 22 3A 33 ; O:8:"Psa_User":3
00000010h: 3A 7B 73 3A 39 3A 22 00 2A 00 67 72 6F 75 70 73 ; :{s:9:".*.groups
00000020h: 22 3B 61 3A 30 3A 7B 7D 73 3A 31 33 3A 22 00 2A ; ";a:0:{}s:13:".*
00000030h: 00 6C 61 73 74 5F 6C 6F 67 69 6E 22 3B 69 3A 30 ; .last_login";i:0
00000040h: 3B 73 3A 31 30 3A 22 74 65 73 74 5F 76 61 6C 75 ; ;s:10:"test_valu
00000050h: 65 22 3B 69 3A 33 39 31 3B 7D                   ; e";i:391;}

The value in query that should update the database is truncated to the first null character in string. That is true for prepared statements with PDO->prepare() and also for only escaped values with PDO->quote().

When using the same code with mysql_pdo driver queries are not truncated and the null characters are stored in the database blob object.

I used base64_encode and decode functions to workaround this and stored base64 encoded string in the database.
 [2009-04-25 14:56 UTC] jani@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2009-05-03 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2012-10-12 12:57 UTC] metala at metala dot org 
I have experienced the same issue with PHP 5.4.4-7 using Debian wheezy/sid.

Actually It made me drop the idea to store objects in database and I used the conventional way to solve the problem. So it was frustrating....
 [2012-10-12 13:01 UTC] metala at metala dot org 
Forgot to add the postgres and pdo_pgsql versions.

pdo_pgsql

PDO Driver for PostgreSQL => enabled
PostgreSQL(libpq) Version => 9.1.5
Module version => 1.0.2
Revision =>  $Id$ 

Package: postgresql-9.1                  
State: installed
Automatically installed: no
Version: 9.1.5-2
 [2012-12-28 16:30 UTC] emeraldd dot chris at gmail dot com 
I can confirm that this still exists in php 5.3.19 (also running gentoo).  Has 
anyone found a solution?
 [2012-12-28 16:38 UTC] emeraldd dot chris at gmail dot com 
It looks like this might actually be a limitation in postgresql.  From what I 
can tell, the database does not support storing the null character.

http://stackoverflow.com/questions/1347646/postgres-error-on-insert-error-
invalid-byte-sequence-for-encoding-utf8-0x0

The relevant line is just above heading 4.1.2.3

http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-
STRINGS-UESCAPE
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed May 15 04:01:33 2024 UTC