php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48314 PDO_MySQL doesn't use prepared statements
Submitted: 2009-05-18 13:25 UTC Modified: 2011-01-13 11:51 UTC
From: vrana@php.net Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.2.9 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2009-05-18 13:25 UTC] vrana@php.net 
Description:
------------
It seems that PDO_MySQL doesn't use prepared statements even with disabled PDO::MYSQL_ATTR_DIRECT_QUERY. If the prepared statements would by used then the binary data passed in the example wouldn't cause a parse error.

MySQL version: 5.1.26

Reproduce code:
---------------
<?php
$pdo = new PDO("mysql:host=localhost", "ODBC", "");
$pdo->setAttribute(PDO::MYSQL_ATTR_DIRECT_QUERY, false);
$pdo->exec("SET NAMES gbk");
$stmt = $pdo->prepare("SELECT ?");
$stmt->execute(array(chr(0xbf) . chr(0x27)));
print_r($stmt->errorInfo());
?>


Expected result:
----------------
Array
(
    [0] => 00000
)


Actual result:
--------------
Array
(
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?\''' at line 1
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 13:43 UTC] johannes@php.net 
Try also disabling PDO::ATTR_EMULATE_PREPARES. PHP 5.3 got some improvements/fixes with PDO_mysql (due to mysqlnd work) not sure if some parts can be backported.
 [2009-05-18 13:45 UTC] vrana@php.net 
Same result.
 [2009-09-29 21:41 UTC] uw@php.net 
Well, you should not use SET NAMES. It will not change the charset used for quoting. Currently there is no way to change the charset via an API call.

Try ext/mysqli...
 [2009-11-04 19:01 UTC] uw@php.net 
Occasionally I am tempted to bogus any PDO MYSQL character set bug report I see.

SET NAMES won't be recognized by the client and the wrong character set will be used for escaping. Adding a DSN option to specify the character set upon connect and setting it properly through the C API may be only five lines of code. 

But even if that would be implemented we would still have the PDO PS emulation as a potential pitfall. PDO will call the driver for escaping bound values and the driver will properly escape the values. But the PDO SQL parser itself won't care much about the current character set when searching for placeholders.
 [2010-09-06 11:14 UTC] uw@php.net 
The sample script works fine with PHP 5.2.15-dev and MySQL 5.1.45-debug . What could happen in your case is that your server does not support preparing it and falls back to emulation.
 [2011-01-13 11:51 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-01-13 11:51 UTC] johannes@php.net 
As Ulf said: There is a fallback in PDO to emulate in case the prepare failed.  The list of prepareable statements can be found on http://dev.mysql.com/doc/refman/5.1/en/c-api-prepared-statements.html for MySQL 5.1 and on http://dev.mysql.com/doc/refman/5.5/en/c-api-prepared-statements.html for the current 5.5.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 07:01:32 2024 UTC