|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65583 PDO MySQL driver does not escape properly backslashes
Submitted: 2013-08-29 13:10 UTC Modified: 2013-08-29 14:06 UTC
From: kevin at les-tilleuls dot coop Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.5.3 OS: Mac OS X
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: kevin at les-tilleuls dot coop
New email:
PHP Version: OS:


 [2013-08-29 13:10 UTC] kevin at les-tilleuls dot coop
PDO MySQL driver does not escape backslashes in string.

The MySQL doc indicates that backslashes must be doubled to be escaped

The driver does not do that. See the script above.
Should this escaping be done by PDO or a higher layer like Doctrine DBAL?

Test script:

define('DSN', 'mysql:dbname=testdb;host=');
define('USER', 'root');
define('PASSWORD', '');


  `test` varchar(255) NOT NULL,
  PRIMARY KEY (`test`)


$dbh = new PDO(DSN, USER, PASSWORD);

$data = '\\' . uniqid();

$stmt = $dbh->prepare('INSERT INTO test(test) VALUES(:data)');
$stmt->execute(array('data' => $data));

$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' => $data));


$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' =>  str_replace('\\', '\\\\', $data)));


Expected result:
string(14) "\521f3f450f597"

Actual result:
string(14) "\521f3f450f597"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-29 14:06 UTC]
-Status: Open +Status: Not a bug
 [2013-08-29 14:06 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Your issue is that for LIKE the \ is a special character. If you use 

$stmt = $dbh->prepare('SELECT test FROM test WHERE test = :data');

all works. See also
 [2013-08-29 19:51 UTC] kevin at les-tilleuls dot coop
Thanks for the reply.
Sorry for the inconvenience.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 07:01:31 2024 UTC