|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74220 Special crafted SQL statement trips PDO
Submitted: 2017-03-07 22:34 UTC Modified: -
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: Assigned:
Status: Open Package: PDO PgSQL
PHP Version: 7.1.2 OS: Ubuntu 14.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-03-07 22:34 UTC]
I initially reported this at but was told "If you can reproduce this issue with raw PDO, then its not a CakePHP issue."

The provided SQL statement, as executed with PDO, does not insert the provided data correctly.

Prerequisites: create a db role / database table:

postgres=# create role username login password 'password';
postgres=# create database db owner username;
postgres=# \c db
You are now connected to database "db" as user "postgres".
db=# set role username;
db=> create table models(field varchar(12));

The provided SQL statement (see test script) is valid Postgres syntax.

Test script:
$pdo = new PDO('pgsql:host=localhost;dbname=db', 'username', 'password');
$sql = <<<SQL
INSERT INTO models (field) values('\'':1');

$result = $pdo->query('SELECT * FROM models');

Expected result:
array(1) {
  array(2) {
    string(4) "\':1"
    string(4) "\':1"

Actual result:
array(1) {
  array(2) {
    string(4) "\'$1"
    string(4) "\'$1"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-08 12:14 UTC]
Not sure if I missed something obvious. For now I found multiple ways to
make it work:

1. use prepared statements (i.e. use :name or ? placeholder, etc.)
2. set the PDO flag PDO::ATTR_EMULATE_PREPARES to true
3. apply pgsql C-Style escape syntax [1], i.e. VALUES(E'\\'':1)

About 2): this worked for simple cases but failed in a large
application, didn't yet investigate why

About 3): haven't dug deeper whether this can cause more troubles or not

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Mar 02 02:01:28 2024 UTC