|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63972 Incorrect escape of query when using PDO::ATTR_EMULATE_PREPARES
Submitted: 2013-01-11 18:14 UTC Modified: 2013-01-14 23:54 UTC
From: denis dot gasparin at edistar dot com Assigned:
Status: Duplicate Package: PDO related
PHP Version: 5.3.20 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
45 - 42 = ?
Subscribe to this entry?

 [2013-01-11 18:14 UTC] denis dot gasparin at edistar dot com
I have a table with two varchar fields:

create table test(
a varchar,
b varchar

When I execute an insert query where the following conditions are met:
- the first field contains a string like this \\''a
- the second field containts a ? character
- the PDO attribute PDO::ATTR_EMULATE_PREPARES is passed to PDO::prepare method

I get the following error:

Invalid parameter number: no parameters were bound in php shell code on line 1

I don't know if the problem is bound to postgresql databases only or other ones.

Test script:
$db = new PDO("pgsql:host=localhost;port=5432;dbname=test;");
$sql = "insert into test values ('\\''a','?')";
$res = $db->prepare($sql,array(PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT => 1));

Expected result:
The query should be executed correctly

Actual result:
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: no 
parameters were bound in php shell code on line 1


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-14 23:54 UTC]
-Status: Open +Status: Duplicate
 [2013-01-14 23:54 UTC]
This is a known limitation in the PDO statement parser.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Jan 24 06:03:34 2022 UTC