php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48314 PDO_MySQL doesn't use prepared statements
Submitted: 2009-05-18 13:25 UTC Modified: 2011-01-13 11:51 UTC
From: vrana@php.net Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.2.9 OS: Windows
Private report: No CVE-ID: None
 [2009-05-18 13:25 UTC] vrana@php.net
Description:
------------
It seems that PDO_MySQL doesn't use prepared statements even with disabled PDO::MYSQL_ATTR_DIRECT_QUERY. If the prepared statements would by used then the binary data passed in the example wouldn't cause a parse error.

MySQL version: 5.1.26

Reproduce code:
---------------
<?php
$pdo = new PDO("mysql:host=localhost", "ODBC", "");
$pdo->setAttribute(PDO::MYSQL_ATTR_DIRECT_QUERY, false);
$pdo->exec("SET NAMES gbk");
$stmt = $pdo->prepare("SELECT ?");
$stmt->execute(array(chr(0xbf) . chr(0x27)));
print_r($stmt->errorInfo());
?>


Expected result:
----------------
Array
(
    [0] => 00000
)


Actual result:
--------------
Array
(
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?\''' at line 1
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 13:43 UTC] johannes@php.net
Try also disabling PDO::ATTR_EMULATE_PREPARES. PHP 5.3 got some improvements/fixes with PDO_mysql (due to mysqlnd work) not sure if some parts can be backported.
 [2009-05-18 13:45 UTC] vrana@php.net
Same result.
 [2009-09-29 21:41 UTC] uw@php.net
Well, you should not use SET NAMES. It will not change the charset used for quoting. Currently there is no way to change the charset via an API call.

Try ext/mysqli... 
 [2009-11-04 19:01 UTC] uw@php.net
Occasionally I am tempted to bogus any PDO MYSQL character set bug report I see.

SET NAMES won't be recognized by the client and the wrong character set will be used for escaping. Adding a DSN option to specify the character set upon connect and setting it properly through the C API may be only five lines of code. 

But even if that would be implemented we would still have the PDO PS emulation as a potential pitfall. PDO will call the driver for escaping bound values and the driver will properly escape the values. But the PDO SQL parser itself won't care much about the current character set when searching for placeholders.
 [2010-09-06 11:14 UTC] uw@php.net
The sample script works fine with PHP 5.2.15-dev and MySQL 5.1.45-debug . What could happen in your case is that your server does not support preparing it and falls back to emulation.
 [2011-01-13 11:51 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-01-13 11:51 UTC] johannes@php.net
As Ulf said: There is a fallback in PDO to emulate in case the prepare failed.  The list of prepareable statements can be found on http://dev.mysql.com/doc/refman/5.1/en/c-api-prepared-statements.html for MySQL 5.1 and on http://dev.mysql.com/doc/refman/5.5/en/c-api-prepared-statements.html for the current 5.5.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Feb 25 20:01:24 2021 UTC