|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79131 PDO does not throw an exception when parameter values are missing
Submitted: 2020-01-16 15:33 UTC Modified: 2020-12-10 14:29 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: love at sickpeople dot se
New email:
PHP Version: OS:


 [2020-01-16 15:33 UTC] love at sickpeople dot se
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";


Expected result:
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-17 12:46 UTC]
-Status: Open +Status: Verified
 [2020-01-17 12:46 UTC]
This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <>
 [2020-01-22 20:34 UTC]
-Package: PDO related +Package: PDO MySQL
 [2020-01-22 20:34 UTC]
I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
 [2020-12-10 14:29 UTC]
The problem here is that PDO does not propagate errors from EVT_ALLOC (which PDO MySQL correctly sets).

Fixing that would be one line, but then we run into the problem that PDO PgSQL already works around this by raising an impl error in EVT_ALLOC...
 [2020-12-10 14:53 UTC]
Automatic comment on behalf of
Log: Fixed bug #79131
 [2020-12-10 14:53 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Dec 03 19:03:33 2021 UTC