php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51995 Execution of oci_execute arbitrarily causes ‘Invalid variable used for bind’
Submitted: 2010-06-04 18:04 UTC Modified: 2010-06-17 10:29 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kdyer at nds dot com Assigned: sixd (profile)
Status: Closed Package: OCI8 related
PHP Version: 5.3.2 OS: Ubuntu/CentOS
Private report: No CVE-ID: None
 [2010-06-04 18:04 UTC] kdyer at nds dot com
Description:
------------
1. Run the included SQL to create the package and table on your Oracle server.
2. Create a script on your Apache server with the sample code.
3. Run the example client, which will generate requests to the Apache server.

When the script is running it will generate anywhere from 100-500 successful requests before a request results in a PHP error with ‘Invalid variable used for bind.’

The failure occurs in oci8_statement.c (oci8 1.4.1) in the php_oci_bind_pre_exec function. In the switch statement (line 816) bind->type is referenced. However, in the case when php_oci_bind_array_by_name is used, only bindp->array.type is set (line 1454) to the input type.

It appears that the php_oci_bind_pre_exec function is not correctly checking the type, which causes a false negative. The value that should be checked is dependent upon whether bind_array_by_name or bind_by_name is initially used.

When this failure occurs and bind->type is incorrectly set, bind->array.type is the correctly specified bind type.

I am unable to reproduce this issue on the command line.

This was reproduced in two different environments: 
Ubuntu 10
OCI8 1.4.1
Oracle 10.2.0.3.0
Apache 2.2.14
gcc 4.4.3

CentOS 5
OCI8 1.4.1
Oracle 11.1.0.7.0
Apache 2.2.3
gcc 4.1.1

Test script:
---------------
/* SQL
CREATE TABLE nums
(
    val NUMBER(16)     DEFAULT 0 NOT NULL ENABLE
);
INSERT INTO nums VALUES (1);
INSERT INTO nums VALUES (2);
INSERT INTO nums VALUES (3);
INSERT INTO nums VALUES (4);
INSERT INTO nums VALUES (5);

CREATE OR REPLACE PACKAGE NUMBINDPKG AS
  PROCEDURE iobind(c1 OUT dbms_sql.number_table);
END NUMBINDPKG;

CREATE OR REPLACE PACKAGE BODY NUMBINDPKG AS
  PROCEDURE iobind(c1 OUT dbms_sql.number_table) IS
  BEGIN
    SELECT val BULK COLLECT INTO c1
      FROM nums;
  END iobind;
END NUMBINDPKG;
*/

/* Example client
$url = 'http://apacheserver/sample_script.php';
for ($i=0;$i<1000;$i++)
{
    $curl = curl_init();
    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt ($curl, CURLOPT_TIMEOUT, 1);
    curl_exec ($curl);
    $httpResonseCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
    curl_close ($curl);

    echo "$i: $url ($httpResonseCode)\n";
    if ($httpResonseCode!=200) break;
}
*/

/* Start sample_script.php */
<?
$statement = oci_parse($c, "BEGIN NUMBINDPKG.iobind(:c1); END;");
$result = array();

oci_bind_array_by_name($statement, ":c1", $result, 5, 16, SQLT_INT);

$retval = oci_execute($statement);

oci_close($c);

Expected result:
----------------
An error should never occur.

Actual result:
--------------
Approx 1 in every 250 requests result in an ‘Invalid variable used for bind’ error, caused by oci_execute.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-04 19:06 UTC] johannes@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: sixd
 [2010-06-04 21:04 UTC] sixd@php.net
If you remove SQLT_INT and let the type default do you still experience the 
problem?
 [2010-06-07 13:52 UTC] kdyer at nds dot com
In my test environment the problem still occurs when I omit the data type.

I am unable to test this fix in our production environment because we are using the NOCOPY keyword for OUT parameters. When NOCOPY is used the correct data type is required, otherwise Oracle will produce the following error:

PLS-00418: array bind type must match PL/SQL table row type
 [2010-06-17 10:29 UTC] kdyer at nds dot com
-Status: Assigned +Status: Closed
 [2010-06-17 10:29 UTC] kdyer at nds dot com
Duplicate of Bug#51577.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 17 05:05:45 2022 UTC