php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45101 pg_send_query_params ORDER BY ignored
Submitted: 2008-05-27 04:47 UTC Modified: 2008-10-20 00:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: alan at fromorbit dot com Assigned: hholzgra (profile)
Status: Not a bug Package: PostgreSQL related
PHP Version: 5.2.6 OS: Linux 2.6.24.7 x64
Private report: No CVE-ID: None
 [2008-05-27 04:47 UTC] alan at fromorbit dot com
Description:
------------
Hi all,

I've discovered that if you use pg_send_query_params() and try and include a parameter for an 'ORDER BY' for example it's completely ignored. I've looked at the pg_trace() output and it appears to be doing the right thing. All I can assume is that the parameter is being converted to a TRUE for an ORDER BY, and so the database happily accepts 'ORDER BY 1'.



Reproduce code:
---------------
#!/opt/php/bin/php
<?php
/*
create table php_bug (id integer, name varchar(255));
insert into php_bug values (1, 'one');
insert into php_bug values (2, 'two');
insert into php_bug values (3, 'three');
insert into php_bug values (4, 'four');
insert into php_bug values (5, 'five');
 */

$conn = pg_connect('host=localhost dbname=test port=5432 user=web');

$sql = 'SELECT * FROM php_bug WHERE name LIKE $1 ORDER BY $2';
$params = array('%o%', 'doesnt_exist_and_should_be_an_sql_error');

if (! pg_connection_busy($conn)) pg_send_query_params($conn, $sql, $params);

$res = pg_get_result($conn);

while($row = pg_fetch_assoc($res))
        echo "{$row['id']} - {$row['name']}\n";

?>


Expected result:
----------------
An SQL error or an output that is ordered by the given parameter

Actual result:
--------------
1 - one
2 - two
4 - four


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-19 23:37 UTC] hholzgra@php.net
ORDER BY can get both a result column name or an expression as input,
in regular statements you would distinguish between a column name and a string expression by checking whether the name is in qoutes or not.

With pg_send_query_params() the situation becomes ambiguous though and the function always picks the string variant, so your statement becomes the equivalent of

  SELECT * 
  FROM php_bug 
  WHERE name LIKE '%o%' 
  ORDER BY 'doesnt_exist_and_should_be_an_sql_error';

and so sorts by a constant (string) expression.
 [2008-10-20 00:41 UTC] alan at fromorbit dot com
If that's the case, how does one sort by the column name passed into the statement via the prepared values array if it always selects string?

Should this be documented?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC