php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #59020 design problem with function db2_bind_param()
Submitted: 2010-01-05 04:20 UTC Modified: 2010-01-05 07:44 UTC
From: zhukecdl at cn dot ibm dot com Assigned:
Status: Not a bug Package: ibm_db2 (PECL)
PHP Version: 5.2.10 OS: Windows XP
Private report: No CVE-ID: None
 [2010-01-05 04:20 UTC] zhukecdl at cn dot ibm dot com
Description:
------------
There is a problem with scope when using db2_bind_param(). db2_bind_param should look up "variable-name" in the scope in which db2_bind_param has been called. It should NOT attempt to look up in the global scope. If it finds a variable in scope with the correct name it should take a _reference_ to that variable.  Thus when db2_execute is called it will use a reference to the scope.

The fix in bug #6528 fixes the specific scenario reported but it does not fix the myriad other possible scope issues.  It also breaks the design of PHP. Global variables are not part of the local scope in a php function unless explicitly imported. There are absolutely no other cases of PHP global variables "bleeding through" into local scope like this. In addition other cases are not addressed by this
design:

1. calling db2_bind_param() in one function but then calling db2_execute() in another function.
2. Calling db2_bind_param() in a function but performing db2_execute() in the global scope.

This bug is found when we implement this function in IBM P8 PHP engine:

http://www.projectzero.org/bugzilla/show_bug.cgi?id=9279

Reproduce code:
---------------
<?php
function sample_db2_bind_param($conn) {
	$sql =  "SELECT RTRIM(name) FROM animals WHERE breed = ? ORDER BY id";
	$stmt = db2_prepare( $conn, $sql );
	// bind variable in local scope
	$var = "cat";
	db2_bind_param($stmt, 1, "var", DB2_PARAM_IN);
	return $stmt;
}

$conn = db2_connect($database, $user, $password);
$stmt = sample_db2_bind_param($conn);
	db2_execute($stmt);
	$row = db2_fetch_array($stmt);
	var_dump($row);
?>

Expected result:
----------------
array(1) {
  [0]=>
  string(4) "Pook"
}

Actual result:
--------------
Warning: db2_execute(): Value Not Bound in %s\test_sMash_9279_bindings_params.php on line %d

Warning: db2_execute(): Binding Error 3 in %s\test_sMash_9279_bindings_params.php on line %d

Warning: db2_fetch_array(): Fetch Failure in %s\test_sMash_9279_bindings_params.php on line %d
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-05 04:35 UTC] zhukecdl at cn dot ibm dot com
This is the phpt test case that we use to verify projectzero bug 9279:
http://www.projectzero.org/bugzilla/show_bug.cgi?id=9279

--TEST--
IBM-DB2: ProjectZero bug 9279 - db2_bind_param()
--SKIPIF--
<?php require_once('skipif.inc'); ?>
--FILE--
<?php

require_once('connection.inc');

function checked_db2_execute($stmt) {
	db2_execute($stmt);
	$row = db2_fetch_array($stmt);
	var_dump($row);
}

function sample_db2_bind_param($conn) {
	$sql =  "SELECT RTRIM(name) FROM animals WHERE breed = ? ORDER BY id";
	$stmt = db2_prepare( $conn, $sql );
	// bind variable in local scope
	$var = "cat";
	db2_bind_param($stmt, 1, "var", DB2_PARAM_IN);
	return $stmt;
}

$conn = db2_connect($database, $user, $password);

if ($conn) {
	// case 1: calling db2_bind_param() in one function, then calling db2_execute()
	// 	in another function.
	$stmt = sample_db2_bind_param($conn);
	checked_db2_execute($stmt);
	
	// case 2: calling db2_bind_param() in a function but performing db2_execute() 
	//	in the global scope.
	
	$stmt = sample_db2_bind_param($conn);
	db2_execute($stmt);
	$row = db2_fetch_array($stmt);
	var_dump($row);
	
	// case 3: make sure no other cases of PHP global variables "bleeding through" 
	// 	into local scope
	
	$stmt = sample_db2_bind_param($conn);
	// create a global variable but it won't impact dumping result
	$var = 'dog';
	db2_execute($stmt);
	$row = db2_fetch_array($stmt);
	var_dump($row);
	
	db2_close($conn);
}
else {
	echo "Connection failed.\n";
}
?>
--EXPECT--
array(1) {
  [0]=>
  string(4) "Pook"
}
array(1) {
  [0]=>
  string(4) "Pook"
}
array(1) {
  [0]=>
  string(4) "Pook"
}
 [2010-01-05 07:44 UTC] abhargav at in dot ibm dot com
Sorry, but your problem does not imply a bug in PECL itself.  For a
list of more appropriate places to ask for help using PECL, please
visit http://pecl.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PECL.

Hi,

There is a issue with scope of variable ($var) in your script. For case 1 and 2, scope of $var is only inside sample_db2_bind_param() and is not available inside main script or checked_db2_execute() function. 

So, for case 1 you need to define $var in checked_db2_execute() function (before calling db2_execute() function). 

And for case 2, define $var before calling db2_execute() function (as you have done in case 3).

Regards,
Ambrish Bhargava
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 05:01:27 2019 UTC