php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79131 PDO does not throw an exception when parameter values are missing
Submitted: 2020-01-16 15:33 UTC Modified: 2020-01-22 20:34 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Verified Package: PDO MySQL
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: love at sickpeople dot se
New email:
PHP Version: OS:

 

 [2020-01-16 15:33 UTC] love at sickpeople dot se
Description:
------------
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
---------------
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ];

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */
  ];

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
      }
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";
      }

  }


Expected result:
----------------
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
--------------
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(true)
array(1) {
  [0]=>
  array(2) {
    ["a"]=>
    string(1) "a"
    ["b"]=>
    string(1) "b"
  }
}
bool(false)
array(0) {
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-17 12:46 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-01-17 12:46 UTC] cmb@php.net
This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <https://www.php.net/manual/en/pdostatement.execute.php#refsect1-pdostatement.execute-changelog>
 [2020-01-22 20:34 UTC] adambaratz@php.net
-Package: PDO related +Package: PDO MySQL
 [2020-01-22 20:34 UTC] adambaratz@php.net
I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
https://github.com/adambaratz/php-src/commit/e905da74accf1291000d4ee4f8f1c071fb6f3dee
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 22 13:01:24 2020 UTC