php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77490 PDO does not throw an exception when more values than parameters are used
Submitted: 2019-01-20 00:12 UTC Modified: 2020-12-11 15:26 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Duplicate Package: PDO related
PHP Version: 7.3.1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: love at sickpeople dot se
New email:
PHP Version: OS:

 

 [2019-01-20 00:12 UTC] love at sickpeople dot se
Description:
------------
When using ERRMODE_EXCEPTION, a call to execute() with *more values* than parameters does not throw an exception. The call fails with false. The query is not executed by the db.

The docs of execute() states: "Binding more values than specified is not possible; if more keys exist in input_parameters than in the SQL specified in the PDO::prepare(), then the statement will fail and an error is emitted."

I've tested this with Mysqlnd.

Test script:
---------------
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ];

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

try {
    var_dump($stmt->execute([0]), $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
catch (Throwable $error) {
    echo $error->getMessage() . "\n";
  }

var_dump($stmt->execute([0, 1]), $stmt->fetchAll(PDO::FETCH_ASSOC));

try {
    var_dump($stmt->execute([0, 1, 2]), $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
catch (Throwable $error) {
    echo $error->getMessage() . "\n";
  }


Expected result:
----------------
I expect both execute() with the wrong number of values to throw an exception.

Actual result:
--------------
The last execute() fails with false and does not throw an exception.

Output from the test script:

SQLSTATE[HY093]: Invalid parameter number
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "0"
    ["b"]=>
    string(1) "1"
  }
}
bool(false)
array(0) {
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 15:26 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2020-12-11 15:26 UTC] nikic@php.net
Same root cause as bug #79131, which is recently fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 03 13:01:28 2024 UTC