|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72368 PdoStatement->execute() fails but does not throw an exception
Submitted: 2016-06-09 09:47 UTC Modified: 2020-12-10 15:18 UTC
Avg. Score:3.4 ± 1.5
Reproduced:4 of 5 (80.0%)
Same Version:0 (0.0%)
Same OS:2 (50.0%)
From: fredrik at neam dot se Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.0.7 OS: Any
Private report: No CVE-ID: None
 [2016-06-09 09:47 UTC] fredrik at neam dot se
PdoStatement->execute() fails but does not throw an exception when supplying parameters to execute() whilst not using any placeholders in the query.

Tested on PHP 7.0.7, 5.6.20 and HHVM 3.13.1

Test script:
$dbh = new PDO('###');
$params = [":bar" => 1];
$sql = "SELECT 1";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute($params);

Expected result:
Either ->execute() should return true and the result set be populated, or an exception should be thrown (like it does for the below case):

$dbh = new PDO('###');
$params = [":bar" => 1];
$sql = "SELECT :foo";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute($params);

Actual result:
$result is false, but an exception is not thrown. The result set is empty.

This is problematic since when the error mode is set to PDO::ERRMODE_EXCEPTION, it is fair to assume that failed statements results in thrown exceptions, so that the return variable must not be checked after each usage of ->execute(). 


bug72368_test (last revision 2016-07-10 05:35 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-10 05:34 UTC]
-Package: PDO related +Package: PDO MySQL -Operating System: Debian Jessie +Operating System: Any
 [2016-07-10 05:34 UTC]
Moving to pdo_mysql as both pdo_sqlite and pdo_pgsql raise an exception, as expected. I haven't tested the other drivers, but I will attach a patch that adds a PDO Common test for the issue.
 [2016-07-10 05:35 UTC]
The following patch has been added/updated:

Patch Name: bug72368_test
Revision:   1468128909
 [2019-06-12 21:48 UTC] dan dot mara at gmail dot com
I experience this issue as well with dblib. Using SQL Server Profiler, I confirmed that it as indeed triggering exceptions at the DB level, but they are not being thrown by PDO. It seems inconsistent, in that I only get exceptions when executing a statement where I did something like forgetting to bind a parameter.

The following should demontrate the issue:

$conn = new PDO('dblib:host=XXX;dbname=XXX', 'REDACTED', 'REDACTED');

$stmt = $conn->prepare("SELECT thistable FROM doesnotexist");
try {
} catch (Exception $ex) {
	die("I am never reached");

The above WILL reach SQL Server, and emit an EventClass of "Exception", but PDO does not trickle it down to a PDOException. It's extremely unreliable.
 [2020-12-10 15:18 UTC]
-Status: Open +Status: Verified
 [2020-12-10 15:18 UTC]
The problem here seems to be specifically the case where a) emulated prepared statements are used and b) there are no placeholders in the query. In that case we hit an early bailout and don't validate the passed parameters.
 [2020-12-10 15:55 UTC]
Automatic comment on behalf of
Log: Fixed bug #72368
 [2020-12-10 15:55 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 28 14:01:28 2024 UTC