php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79131 PDO does not throw an exception when parameter values are missing
Submitted: 2020-01-16 15:33 UTC Modified: 2020-12-10 14:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
 [2020-01-16 15:33 UTC] love at sickpeople dot se
Description:
------------
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
---------------
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ];

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */
  ];

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
      }
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";
      }

  }


Expected result:
----------------
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
--------------
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(false)
array(0) {
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-17 12:46 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-01-17 12:46 UTC] cmb@php.net
This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <https://www.php.net/manual/en/pdostatement.execute.php#refsect1-pdostatement.execute-changelog>
 [2020-01-22 20:34 UTC] adambaratz@php.net
-Package: PDO related +Package: PDO MySQL
 [2020-01-22 20:34 UTC] adambaratz@php.net
I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
https://github.com/adambaratz/php-src/commit/e905da74accf1291000d4ee4f8f1c071fb6f3dee
 [2020-12-10 14:29 UTC] nikic@php.net
The problem here is that PDO does not propagate errors from EVT_ALLOC (which PDO MySQL correctly sets).

Fixing that would be one line, but then we run into the problem that PDO PgSQL already works around this by raising an impl error in EVT_ALLOC...
 [2020-12-10 14:53 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b51a215ac08fa72aa6ea44755f7134710f9004
Log: Fixed bug #79131
 [2020-12-10 14:53 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 15:01:27 2024 UTC