php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49651 "IN" statment badly handled in bindValue
Submitted: 2009-09-24 08:48 UTC Modified: 2009-09-24 09:02 UTC
From: mmarais at centrapel dot com Assigned:
Status: Closed Package: PDO related
PHP Version: 5.2.11 OS: Linux version 2.6.18-6-686 (Debi
Private report: No CVE-ID: None
 [2009-09-24 08:48 UTC] mmarais at centrapel dot com
Description:
------------
Using named paramters with the "IN" statement does not work correctly. Is a list is used as a parameter with bindValue this list is interpreted as a quoted string in the sql command

Reproduce code:
---------------
$arrEmployees = array(1,2,3,4,5,6);

$strSQL = "
   SELECT id, name
   FROM   employees
   WHERE  id in (:my_list);
";

$objPDOStatement = $objPDO->prepare($strSQL);
$objPDOStatement -> bindValue(':my_list', implode(',', $arrEmployees));
$objPDOStatement -> execute();

Expected result:
----------------
--------------
id | name
--------------
 1 | John Doe
 2 | Jack Doe
 3 | Gill Doe
 4 | Ralf Doe
 5 | Sven Doe
 6 | Carl Doe
--------------

Actual result:
--------------
--------------
id | name
--------------
 1 | John Doe
--------------

In sql cli, same results as if running  

   SELECT id, name
   FROM   employees
   WHERE  id in ('1,2,3,4,5,6'); -- List with quotes;

when expecting

   SELECT id, name
   FROM   employees
   WHERE  id in (1,2,3,4,5,6); -- List with no quotes;


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-24 09:02 UTC] uw@php.net
Closing because it is a duplicate of http://bugs.php.net/bug.php?id=44639 . Please follow up in the other bug report.

A workaround is to specify the type of the parameter explicitly. 
 [2012-03-12 10:19 UTC] alvaro at demogracia dot com
IMHO: not dupe, just invalid. You can't use one place-holder to inject six 
parameters.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 23:01:28 2024 UTC