|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48314 PDO_MySQL doesn't use prepared statements
Submitted: 2009-05-18 13:25 UTC Modified: 2011-01-13 11:51 UTC
From: Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.2.9 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2009-05-18 13:25 UTC]
It seems that PDO_MySQL doesn't use prepared statements even with disabled PDO::MYSQL_ATTR_DIRECT_QUERY. If the prepared statements would by used then the binary data passed in the example wouldn't cause a parse error.

MySQL version: 5.1.26

Reproduce code:
$pdo = new PDO("mysql:host=localhost", "ODBC", "");
$pdo->setAttribute(PDO::MYSQL_ATTR_DIRECT_QUERY, false);
$pdo->exec("SET NAMES gbk");
$stmt = $pdo->prepare("SELECT ?");
$stmt->execute(array(chr(0xbf) . chr(0x27)));

Expected result:
    [0] => 00000

Actual result:
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?\''' at line 1


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 13:43 UTC]
Try also disabling PDO::ATTR_EMULATE_PREPARES. PHP 5.3 got some improvements/fixes with PDO_mysql (due to mysqlnd work) not sure if some parts can be backported.
 [2009-05-18 13:45 UTC]
Same result.
 [2009-09-29 21:41 UTC]
Well, you should not use SET NAMES. It will not change the charset used for quoting. Currently there is no way to change the charset via an API call.

Try ext/mysqli... 
 [2009-11-04 19:01 UTC]
Occasionally I am tempted to bogus any PDO MYSQL character set bug report I see.

SET NAMES won't be recognized by the client and the wrong character set will be used for escaping. Adding a DSN option to specify the character set upon connect and setting it properly through the C API may be only five lines of code. 

But even if that would be implemented we would still have the PDO PS emulation as a potential pitfall. PDO will call the driver for escaping bound values and the driver will properly escape the values. But the PDO SQL parser itself won't care much about the current character set when searching for placeholders.
 [2010-09-06 11:14 UTC]
The sample script works fine with PHP 5.2.15-dev and MySQL 5.1.45-debug . What could happen in your case is that your server does not support preparing it and falls back to emulation.
 [2011-01-13 11:51 UTC]
-Status: Open +Status: Bogus
 [2011-01-13 11:51 UTC]
As Ulf said: There is a fallback in PDO to emulate in case the prepare failed.  The list of prepareable statements can be found on for MySQL 5.1 and on for the current 5.5.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 13:01:29 2024 UTC