php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #71628 Column names with ? in them confuse the PDO parameter binding
Submitted: 2016-02-19 01:21 UTC Modified: 2021-09-14 11:22 UTC
Votes:5
Avg. Score:3.2 ± 1.6
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: californialife88 at hotmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 5.6.18 OS: Windows 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: californialife88 at hotmail dot com
New email:
PHP Version: OS:

 

 [2016-02-19 01:21 UTC] californialife88 at hotmail dot com
Description:
------------
This bug has been described well in the following Stack Overflow thread:

http://stackoverflow.com/questions/12092907/php-pdo-insert-to-column-with-question-mark-in-name/35495548#35495548

In particular, please check out the Original Post and the reply by Andre.

Test script:
---------------
INSERT INTO `myTable` (`Id`, `Title`, `Expired?`) VALUES (?, ?, ?)

followed by a binding for the 3 variables.

Notice the '?' in one of the column names...

Expected result:
----------------
Insert operation in database

Actual result:
--------------
Error message: "wrong number of parameters passed"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-19 02:11 UTC] requinix@php.net
-Type: Bug +Type: Feature/Change Request -PHP Version: 5.5.32 +PHP Version: 5.6.18
 [2016-02-19 02:11 UTC] requinix@php.net
Disable emulated prepares.

MySQL, and only MySQL, uses backticks as a way of quoting identifiers, but PDO is general purpose so it doesn't know about MySQL's idiosyncrasies when it tries to parse the statement looking for placeholders.

The only way I could see this being solved is if statement parsing was offloaded to the driver instead of being handled by vanilla PDO.
 [2021-09-14 11:22 UTC] cmb@php.net
> MySQL, and only MySQL, uses backticks as a way of quoting
> identifiers, but PDO is general purpose so it doesn't know about
> MySQL's idiosyncrasies when it tries to parse the statement
> looking for placeholders.

While PDO indeed ignores backtick quoting, it is aware of
backslash escaping, which is non standard as well (see bug
#79276).

> The only way I could see this being solved is if statement
> parsing was offloaded to the driver instead of being handled by
> vanilla PDO.

That.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 11:01:32 2024 UTC