|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72065 Single backslash problem in parametrized query
Submitted: 2016-04-20 15:11 UTC Modified: 2016-07-10 05:57 UTC
From: jaro at ttx dot sk Assigned:
Status: Wont fix Package: PDO PgSQL
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: jaro at ttx dot sk
New email:
PHP Version: OS:


 [2016-04-20 15:11 UTC] jaro at ttx dot sk
There is a problem with single backlash string in parametrized qurery. When I try run test script it gives me error. String with backslash is quoted with PDO::quote with posgresql driver. It seems valid if not used with parametrized query with next string with quotes.
Valid sql:
INSERT INTO test_quote ("id","text","text2","text3","text4") VALUES (1,'aaa',?,'\','test4')
Invalid sql:
INSERT INTO test_quote ("id","text","text2","text3","text4") VALUES (1,'aaa','\',?,'test4')
It affects all versions of php from 5.5 and above what I tested.

Test script:
$dbh = new PDO('pgsql:host=postgres;dbname=test','test_user','test');
$dbh->exec('DROP TABLE IF EXISTS test_quote');
$dbh->exec('CREATE TABLE test_quote ( id int, text varchar(40), text2 varchar(40), text3 varchar(40), text4 varchar(40) )');

$sql = <<<'EOT'
INSERT INTO test_quote ("id","text","text2","text3","text4") VALUES (1,?,'\',?,'test4')
try {
  $statement = $dbh->prepare($sql);
  $statement->bindValue( 1 , 'test1', PDO::PARAM_STR);
  $statement->bindValue( 2 , 'test3', PDO::PARAM_STR);
} catch (PDOException $e) {
  echo 'Connection failed: ' . $e->getMessage();

Actual result:
Connection failed: SQLSTATE[42601]: Syntax error: 7 ERROR:  syntax error at or near ","
LINE 1: ...,"text","text2","text3","text4") VALUES (1,$1,'\',?,'test4')


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-10 05:56 UTC]
-Status: Open +Status: Wont fix
 [2016-07-10 05:56 UTC]
PDO's SQL parser has to be compatible with many SQL dialects. In many of them (including old Postgres versions) the backslash is the escape character, so "'\',?,'test4'" is interpreted as "',?'" followed by "test4'".

I don't think it's feasible to make it "standards_strings" compliant on Postgres without deeply changing how PDO works or breaking other drivers.

The following should work instead:

INSERT INTO test_quote ("id","text","text2","text3","text4") VALUES (1,?,E'\\',?,'test4')
 [2016-07-10 05:57 UTC]
-Package: PDO related +Package: PDO PgSQL
 [2016-07-18 13:30 UTC] jaro at ttx dot sk
I experienced this problem with php framework. I don't know solution (fix this in frameworks?). I dig problem and found there is problem with single backslash with pdo driver.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 06:01:23 2020 UTC