|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44895 Passing XML as a parameter to a stored procedure, causes syntax error.
Submitted: 2008-05-02 17:17 UTC Modified: 2008-11-29 00:51 UTC
Avg. Score:3.8 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: jrichardson at whisolutions dot com Assigned:
Status: Not a bug Package: MSSQL related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
 [2008-05-02 17:17 UTC] jrichardson at whisolutions dot com
When passing XML as a parameter to a stored procedure; the mssql_query call now interrupts the "/" as a special character and produces a syntax error. If the slashes are removed from the XML the SP executes, but the XML parser inside the procedure will not be able to handle it.

The same query will execute and return the proper results when executed from PHP5 or from mssql server directly.

Reproduce code:
$sSQL = "exec any_store_procedure NULL, NULL, '<status><id>5</id><id>6</id><id>8</id></status>', NULL, '01/01/2008', '04/29/2008', 25, 1";
$rc = mssql_query($sSQL,$Link_ID);
$returnedrows = mssql_num_rows($rc);

Expected result:
Depends on the Stored Procedure. But this will causes a syntax error. When running the same query in PHP4 or directly in mssql, it returns a result.

Actual result:
Warning: mssql_query() [function.mssql-query]: message: Line 3: Incorrect syntax near ','. (severity 15) in


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-29 00:51 UTC]
I'm not sure whenever this should be fixed on a php level, however as far I remember then MSSQL had an escape syntax like:

SELECT col1_name FROM table1 WHERE col2_name LIKE '\/' {escape '\'}

same syntax should apply to stored procedures. I'm marking this as bogus as I still don't think its a php level bug, but rather an SQL syntax issue :)
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Mar 27 08:03:43 2023 UTC