php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54551 pdo_mysql_stmt_get_col() converts DB integer to string
Submitted: 2011-04-17 19:22 UTC Modified: 2011-04-17 22:20 UTC
From: php_nospam at ramihyn dot sytes dot net Assigned:
Status: Not a bug Package: MySQL related
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
 [2011-04-17 19:22 UTC] php_nospam at ramihyn dot sytes dot net
Description:
------------
pdo_mysql_stmt_get_col() returns a string instead of an integer obtained from the database. This happens with the pdo_mysql extension included in the PHP download section as well as on my Ubuntu box.

Looking at mysql_statement.c from the pdo_mysql source shows, that it returns a ZVAL reference instead of a string when compiled with mysqlnd, so if i may ask: why isnt it the default to compile with mysqlnd?


Test script:
---------------
<?php
$mysql = new PDO('mysql:host=localhost;dbname=test', 'root', '');
$mysql->setAttribute(PDO::ATTR_STRINGIFY_FETCHES, false);

var_dump($mysql->query('SELECT 42')->fetch(PDO::FETCH_NUM));
?>



Expected result:
----------------
array(1) {
  [0]=>
  int(42)
}


Actual result:
--------------
array(1) {
  [0]=>
  string(2) "42"
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-17 20:36 UTC] johannes@php.net
The issue actually is that PDO by default uses emulation of prepared statements. Only native prepared statements use the binary protocol which keeps the proper types.
 [2011-04-17 20:36 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-04-17 20:36 UTC] johannes@php.net
.
 [2011-04-17 22:05 UTC] php_nospam at ramihyn dot sytes dot net
Yeah well, its a bug that pdo/pdo_mysql have for at least 3 years now.
http://bugs.php.net/bug.php?id=44341 was set to Bogus claiming it was not a PDO core bug.

So you're trying to tell me its irrelevant that PHP's next generation database interface cant event transport an int(11) from database to a variable without converting it to a string?

As mysql_fetch_assoc() handles integers correctly by not converting them to a string, it really shouldnt be that hard for pdo_mysql to do the same.
 [2011-04-17 22:20 UTC] php_nospam at ramihyn dot sytes dot net
This misbehaviour effectively renders pdo_mysql useless since 3 years, and using the functions from the mysql extension is more likely vulnerable to sql injection attacks.

Stating this is Bogus or Irrelevant doesnt sound much like a solution making php and php applications more secure.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 01:01:27 2024 UTC