php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77490 PDO does not throw an exception when more values than parameters are used
Submitted: 2019-01-20 00:12 UTC Modified: 2020-12-11 15:26 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Duplicate Package: PDO related
PHP Version: 7.3.1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: love at sickpeople dot se
New email:
PHP Version: OS:

 

 [2019-01-20 00:12 UTC] love at sickpeople dot se
Description:
------------
When using ERRMODE_EXCEPTION, a call to execute() with *more values* than parameters does not throw an exception. The call fails with false. The query is not executed by the db.

The docs of execute() states: "Binding more values than specified is not possible; if more keys exist in input_parameters than in the SQL specified in the PDO::prepare(), then the statement will fail and an error is emitted."

I've tested this with Mysqlnd.

Test script:
---------------
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ];

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

try {
    var_dump($stmt->execute([0]), $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
catch (Throwable $error) {
    echo $error->getMessage() . "\n";
  }

var_dump($stmt->execute([0, 1]), $stmt->fetchAll(PDO::FETCH_ASSOC));

try {
    var_dump($stmt->execute([0, 1, 2]), $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
catch (Throwable $error) {
    echo $error->getMessage() . "\n";
  }


Expected result:
----------------
I expect both execute() with the wrong number of values to throw an exception.

Actual result:
--------------
The last execute() fails with false and does not throw an exception.

Output from the test script:

SQLSTATE[HY093]: Invalid parameter number
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "0"
    ["b"]=>
    string(1) "1"
  }
}
bool(false)
array(0) {
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 15:26 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2020-12-11 15:26 UTC] nikic@php.net
Same root cause as bug #79131, which is recently fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 06:01:26 2024 UTC