php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63972 Incorrect escape of query when using PDO::ATTR_EMULATE_PREPARES
Submitted: 2013-01-11 18:14 UTC Modified: 2013-01-14 23:54 UTC
From: denis dot gasparin at edistar dot com Assigned:
Status: Duplicate Package: PDO related
PHP Version: 5.3.20 OS: Linux
Private report: No CVE-ID: None
 [2013-01-11 18:14 UTC] denis dot gasparin at edistar dot com
Description:
------------
I have a table with two varchar fields:

create table test(
a varchar,
b varchar
);

When I execute an insert query where the following conditions are met:
- the first field contains a string like this \\''a
- the second field containts a ? character
- the PDO attribute PDO::ATTR_EMULATE_PREPARES is passed to PDO::prepare method

I get the following error:

Invalid parameter number: no parameters were bound in php shell code on line 1

I don't know if the problem is bound to postgresql databases only or other ones.



Test script:
---------------
$db = new PDO("pgsql:host=localhost;port=5432;dbname=test;");
$sql = "insert into test values ('\\''a','?')";
$res = $db->prepare($sql,array(PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT => 1));
$res->execute();





Expected result:
----------------
The query should be executed correctly

Actual result:
--------------
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: no 
parameters were bound in php shell code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-14 23:54 UTC] johannes@php.net
-Status: Open +Status: Duplicate
 [2013-01-14 23:54 UTC] johannes@php.net
This is a known limitation in the PDO statement parser.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jun 26 06:01:26 2019 UTC