php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #76647 PDO's query parser should warn with multiple named parameters
Submitted: 2018-07-19 15:11 UTC Modified: 2021-09-28 12:20 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: requinix@php.net Assigned:
Status: Open Package: PDO Core
PHP Version: 7.3.0alpha4 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: requinix@php.net
New email:
PHP Version: OS:

 

 [2018-07-19 15:11 UTC] requinix@php.net 
Description:
------------
From bug #76639.

If PDO is not emulating prepares and a query contains named parameters,
  SELECT a FROM b WHERE c = :param OR d = :param

it will get rewritten to use placeholders
  SELECT a FROM b WHERE c = ? OR d = ?

When the user executes the query they will only provide one value, and that results in an error because the query requires two values. MySQL/pdo_mysql gives "SQLSTATE[HY093]: Invalid parameter number", which is technically correct but only understandable if the user knows about the rewriting. It also happens during the call to execute(), which is misleading as the problem was actually in the prepared statement given to prepare().

The docs for PDO::prepare() do speak of this:
> You cannot use a named parameter marker of the same name more than once in a prepared statement, unless
> emulation mode is on.

The request: Since PDO is parsing and rewriting queries during prepare(), it can recognize this situation happening and so should present a meaningful error message/exception at that time.

Test script:
---------------
<?php

$pdo = new PDO(...);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

$pdo->prepare("SELECT :param, :param");

?>

Expected result:
----------------
Some appropriate error message or PDOException during $pdo->prepare().

Actual result:
--------------
Query is accepted and prepared even though it can't be executed.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-19 15:15 UTC] requinix@php.net 
Related To: Bug #76639
 [2021-09-28 12:20 UTC] cmb@php.net 
> If PDO is not emulating prepares and a query contains named parameters,
>   SELECT a FROM b WHERE c = :param OR d = :param
>
> it will get rewritten to use placeholders
>   SELECT a FROM b WHERE c = ? OR d = ?

This is driver specific.  If the driver supports either parameter
style (e.g. PDO_SQLite), there is no need to call
pdo_parse_params(), so the query won't be rewritten.

> Some appropriate error message or PDOException during
> $pdo->prepare().

Maybe we should generally emit a notice if the query is rewritten?
Otherwise the following code will successfully execute with
emulated prepares, but not with native prepares (PDO_MySQL,
PHP-7.4):

<?php
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, $emulate);
$stmt = $pdo->prepare('SELECT :a as foo, :b as bar');
$stmt->execute([1, 2]);
?>

Or is this a particular glitch of PDO_MySQL?
 [2021-09-28 12:25 UTC] cmb@php.net 
Related To: Bug #48856
 [2023-05-02 10:06 UTC] ashumalikh758 at gmail dot com 
Education Exam News are sharing latest news about education, exam, study, college and university, school, teaching, learning etc. More info to visit our website: (https://educationexamnews.com)github.com
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 17 14:04:04 2025 UTC