php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63347 Different behavior of parameters processing
Submitted: 2012-10-24 14:06 UTC Modified: 2012-10-26 03:35 UTC
From: naquad at gmail dot com Assigned: wez (profile)
Status: Not a bug Package: PDO related
PHP Version: 5.4.8 OS: Linux
Private report: No CVE-ID: None
 [2012-10-24 14:06 UTC] naquad at gmail dot com
Description:
------------
PDO::ATTR_EMULATE_PREPARES changes behavior of parameter processing.
When it is enabled multiple occurrences of named parameter work as expected, but 
when it is disabled I get "Invalid parameter number" error.

Test script:
---------------
<?php
  $pdo = new PDO('mysql:host=localhost;dbname=test', 'root', '');
  $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); /// remove this line and scirpt works as expected
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  $query = $pdo->prepare('select :x = :x');
  $query->bindValue(':x', 1);
  $query->execute();
  $t = $query->fetch();
  var_dump($t);
  $query->closeCursor();

Expected result:
----------------
array(2) {
  '\'1\' = \'1\'' =>
  string(1) "1"
  [0] =>
  string(1) "1"
}

Actual result:
--------------
PDOException: SQLSTATE[HY093]: Invalid parameter number in 
/srv/http/fucktube/app/test.php on line 7

Call Stack:
    0.0002     230552   1. {main}() /srv/http/fucktube/app/test.php:0
    0.0739     246416   2. PDOStatement->execute() 
/srv/http/fucktube/app/test.php:7


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-25 04:01 UTC] laruence@php.net
seems native prepare supporting doesn't supports multi-same-name params, it will 
faild in the params number checking
 [2012-10-25 04:02 UTC] laruence@php.net
-Assigned To: +Assigned To: wez
 [2012-10-25 10:08 UTC] uw@php.net
I consider this bogus: SQL syntax violated. Mapping feature abused to create dynamic SQL, which is against the main argument brought up for PDO's PS fixation.
 [2012-10-25 10:15 UTC] naquad at gmail dot com
Its not bogus. You can change the query to something like 'insert into users(login, password, screen_name) values(:login, :password, :login)' and issue will be still ok. And if it is "violated" then why emulated prepares work with this?
 [2012-10-26 03:35 UTC] wez@php.net
-Status: Assigned +Status: Not a bug
 [2012-10-26 03:35 UTC] wez@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

We can't reimplement the mysql (or any DB) prepared statement support 100% on the 
client side.  Emulated prepares behave differently and this is one of the ways 
that this manifests.   This behavior will not be changed.  If it is important for 
you that this work both ways, then you should write your queries with emulated 
prepares turned off.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 19:01:30 2024 UTC