php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65583 PDO MySQL driver does not escape properly backslashes
Submitted: 2013-08-29 13:10 UTC Modified: 2013-08-29 14:06 UTC
From: kevin at les-tilleuls dot coop Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.5.3 OS: Mac OS X
Private report: No CVE-ID: None
 [2013-08-29 13:10 UTC] kevin at les-tilleuls dot coop
Description:
------------
PDO MySQL driver does not escape backslashes in string.

The MySQL doc indicates that backslashes must be doubled to be escaped 
http://dev.mysql.com/doc/refman/5.6/en/string-literals.html

The driver does not do that. See the script above.
Should this escaping be done by PDO or a higher layer like Doctrine DBAL?

Test script:
---------------
<?php

define('DSN', 'mysql:dbname=testdb;host=127.0.0.1');
define('USER', 'root');
define('PASSWORD', '');

/* DATABASE STRUCTURE

CREATE TABLE `test` (
  `test` varchar(255) NOT NULL,
  PRIMARY KEY (`test`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

*/

$dbh = new PDO(DSN, USER, PASSWORD);

$data = '\\' . uniqid();

$stmt = $dbh->prepare('INSERT INTO test(test) VALUES(:data)');
$stmt->execute(array('data' => $data));


$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' => $data));

var_dump($stmt->fetchColumn());

$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' =>  str_replace('\\', '\\\\', $data)));

var_dump($stmt->fetchColumn());


Expected result:
----------------
string(14) "\521f3f450f597"
bool(false)

Actual result:
--------------
bool(false)
string(14) "\521f3f450f597"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-29 14:06 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2013-08-29 14:06 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your issue is that for LIKE the \ is a special character. If you use 

$stmt = $dbh->prepare('SELECT test FROM test WHERE test = :data');

all works. See also http://dev.mysql.com/doc/refman/5.6/en/string-comparison-functions.html#operator_like
 [2013-08-29 19:51 UTC] kevin at les-tilleuls dot coop
Thanks for the reply.
Sorry for the inconvenience.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Jul 20 01:01:25 2019 UTC