|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77490 PDO does not throw an exception when more values than parameters are used
Submitted: 2019-01-20 00:12 UTC Modified: 2020-12-11 15:26 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Duplicate Package: PDO related
PHP Version: 7.3.1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: love at sickpeople dot se
New email:
PHP Version: OS:


 [2019-01-20 00:12 UTC] love at sickpeople dot se
When using ERRMODE_EXCEPTION, a call to execute() with *more values* than parameters does not throw an exception. The call fails with false. The query is not executed by the db.

The docs of execute() states: "Binding more values than specified is not possible; if more keys exist in input_parameters than in the SQL specified in the PDO::prepare(), then the statement will fail and an error is emitted."

I've tested this with Mysqlnd.

Test script:
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

try {
    var_dump($stmt->execute([0]), $stmt->fetchAll(PDO::FETCH_ASSOC));
catch (Throwable $error) {
    echo $error->getMessage() . "\n";

var_dump($stmt->execute([0, 1]), $stmt->fetchAll(PDO::FETCH_ASSOC));

try {
    var_dump($stmt->execute([0, 1, 2]), $stmt->fetchAll(PDO::FETCH_ASSOC));
catch (Throwable $error) {
    echo $error->getMessage() . "\n";

Expected result:
I expect both execute() with the wrong number of values to throw an exception.

Actual result:
The last execute() fails with false and does not throw an exception.

Output from the test script:

SQLSTATE[HY093]: Invalid parameter number
array(1) {
  array(2) {
    string(1) "0"
    string(1) "1"
array(0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 15:26 UTC]
-Status: Open +Status: Duplicate
 [2020-12-11 15:26 UTC]
Same root cause as bug #79131, which is recently fixed.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 21 13:01:28 2024 UTC