|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79131 PDO does not throw an exception when parameter values are missing
Submitted: 2020-01-16 15:33 UTC Modified: 2020-01-22 20:34 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Verified Package: PDO MySQL
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: love at sickpeople dot se
New email:
PHP Version: OS:


 [2020-01-16 15:33 UTC] love at sickpeople dot se
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";


Expected result:
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-17 12:46 UTC]
-Status: Open +Status: Verified
 [2020-01-17 12:46 UTC]
This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <>
 [2020-01-22 20:34 UTC]
-Package: PDO related +Package: PDO MySQL
 [2020-01-22 20:34 UTC]
I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 22 13:01:24 2020 UTC