|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71447 an query may return bad result or error "Invalid parameter number"
Submitted: 2016-01-25 16:10 UTC Modified: 2016-02-18 09:34 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: skrol29forum+bugsphp at gmail dot com Assigned: mbeccati (profile)
Status: Closed Package: PDO PgSQL
PHP Version: 5.6.17 OS: Windows 10, Debian Cid
Private report: No CVE-ID: None
 [2016-01-25 16:10 UTC] skrol29forum+bugsphp at gmail dot com
Depending to a comment in the SQL query, PDO will run it correctly or return an error, or even a wrong result.

Run the test script and an error will raise while the query contains actually no PDO parameters.
Then if you simply delete the character single-quote (replace "that's strange" with "thats strange") in the comment of the SQL query there will be no error.

More dramatic:
   $pdo->query($sql_1, PDO::FETCH_NUM);
   $pdo->query($sql_2, PDO::FETCH_NUM);
in order to run the second query.
Take car to previously create the table and the row using the small SQL script at the head of the script.
In this case, there is no error, but the query returns a wrong result (NULL instead of '8000'). If you delete the single-quote in the comment, then the result is correct.

The bug occurs with Windows 10 and Debian Cid with PHP 5.6.17 but also with versions 5.6.16 and 5.6.15. Not tested on PHP 7.
The bug does not occurs with PHP 5.4.3.

I've tested a similar query with PDO-MySQL and there is no error.

PDO version with PHP 5.6.17:
PostgreSQL(libpq) Version 	9.4.1
Module version 	1.0.2
Revision 	$Id: 93432550a76a2298959ec74f40d65c7195a82ad2 $ 

Test script:
Database structure for query #2
CREATE TABLE _test.t_test (prms character varying(255));
INSERT INTO _test.t_test (prms) VALUES ('{"radius":8000}');

// connection to the PostgreSQL database
$pdo = new PDO("pgsql:dbname=mydb;host=myhost", 'myusername', 'mypassword');

$sql_1 = "
SELECT -- that's strange
  SUBSTRING( '{\"radius\":8000}'::text FROM '(?:\"radius\":)([\d\.]*)') AS zzz";

$sql_2 = "
SELECT -- that's strange
  SUBSTRING( prms::text FROM '(?:\"radius\":)([\d\.]*)') AS zzz
FROM _test.t_test";

$rs = $pdo->query($sql_1, PDO::FETCH_NUM);
$rec = $rs->fetch();

Expected result:
array (
  0 => '8000',

Actual result:
Query #1 returns :

« PDO::query(): SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters in ... »

Query #2 returns :

array (
  0 => NULL,


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-18 09:34 UTC]
-Assigned To: +Assigned To: mbeccati
 [2016-04-04 22:11 UTC]
Automatic comment on behalf of mbeccati
Log: Fixed bug #71447 (Quotes inside comments not properly handled)
 [2016-04-04 22:11 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 15:01:28 2024 UTC