php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63972 Incorrect escape of query when using PDO::ATTR_EMULATE_PREPARES
Submitted: 2013-01-11 18:14 UTC Modified: 2013-01-14 23:54 UTC
From: denis dot gasparin at edistar dot com Assigned:
Status: Duplicate Package: PDO related
PHP Version: 5.3.20 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: denis dot gasparin at edistar dot com
New email:
PHP Version: OS:

 

 [2013-01-11 18:14 UTC] denis dot gasparin at edistar dot com
Description:
------------
I have a table with two varchar fields:

create table test(
a varchar,
b varchar
);

When I execute an insert query where the following conditions are met:
- the first field contains a string like this \\''a
- the second field containts a ? character
- the PDO attribute PDO::ATTR_EMULATE_PREPARES is passed to PDO::prepare method

I get the following error:

Invalid parameter number: no parameters were bound in php shell code on line 1

I don't know if the problem is bound to postgresql databases only or other ones.



Test script:
---------------
$db = new PDO("pgsql:host=localhost;port=5432;dbname=test;");
$sql = "insert into test values ('\\''a','?')";
$res = $db->prepare($sql,array(PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT => 1));
$res->execute();





Expected result:
----------------
The query should be executed correctly

Actual result:
--------------
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: no 
parameters were bound in php shell code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-14 23:54 UTC] johannes@php.net
-Status: Open +Status: Duplicate
 [2013-01-14 23:54 UTC] johannes@php.net
This is a known limitation in the PDO statement parser.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 11:01:27 2024 UTC