php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74186 Error if sql query has a criteria's length larger than columns' max length
Submitted: 2017-03-01 05:29 UTC Modified: 2020-09-29 10:58 UTC
From: lobo__911 at hotmail dot com Assigned:
Status: Verified Package: PDO ODBC
PHP Version: 7.0.16 OS: ALL
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-03-01 05:29 UTC] lobo__911 at hotmail dot com
Description:
------------
Please, read this github issue and follow the SO question: https://github.com/Microsoft/msphpsql/issues/307


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-29 10:58 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-09-29 10:58 UTC] cmb@php.net
Test script:

<?php
$pdo = new PDO($dsn, $user, $pass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$pdo->exec("DROP TABLE bug74186");
$pdo->exec("CREATE TABLE bug74186 (col VARCHAR(10))");
$pdo->exec("INSERT INTO bug74186 VALUES ('something')");

$stmt = $pdo->prepare("SELECT * FROM bug74186 WHERE col = ?");
var_dump($stmt->execute([str_repeat("0123456789", 27)]));
?>

Fails with: SQLSTATE[HY010]: Function sequence error.

The problem is that we're binding the parameter[1] with the proper
ColumnSize (aka. precision) of 10[1], but then putting data into
the parameter[2] which exceeds that column size.  The ODBC Driver
for SQL Server (and maybe others as well, but not, for instance,
the MySQL ODBC 8.0 Unicode Driver; according to the ODBC
Specification 3.8 either behavior seems to be conforming) is picky
about that, and SQLPutData() actually fails with [22001] String
data, right truncation; we don't catch that error, but go on
calling SQLParamData() again, what triggers the [HY010] Function
sequence error.

The same issue occurs also if the user prepares respective DML
queries.

It is not clear *how* we should solve this.  We could either be
strict about the length of bound parameters and reject these right
away, or we could be more liberal for strict drivers by silently
truncating the parameter values.  The latter would not break BC,
but might be regarded the wrong behavior.

[1] <https://github.com/php/php-src/blob/php-7.3.23/ext/pdo_odbc/odbc_stmt.c#L379-L386>
[2] <https://github.com/php/php-src/blob/php-7.3.23/ext/pdo_odbc/odbc_stmt.c#L200-L201>
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Oct 28 21:01:24 2020 UTC