|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79131 PDO does not throw an exception when parameter values are missing
Submitted: 2020-01-16 15:33 UTC Modified: 2020-12-10 14:29 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: love at sickpeople dot se Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
22 - 4 = ?
Subscribe to this entry?

 [2020-01-16 15:33 UTC] love at sickpeople dot se
In the test script I execute the same statement three times. The last execution has two parameters but the second parameter has array key 2 instead of 1 and is thus missing.

PDO returns false instead of throwing an exception.

Note that emulated PREPARE must be disabled.

Test script:
$host = '';
$db = '';
$user = '';
$pass = '';

$options = [
    PDO::ATTR_EMULATE_PREPARES => false, /* required */

$pdo = new PDO("mysql:host=$host; dbname=$db; charset=utf8mb4", $user, $pass, $options);

$stmt = $pdo->prepare('select ? a, ? b');

$set = [
    ['a', 'b'],
    [0 => 'a', 1 => 'b'],
    [0 => 'a', 2 => 'b'], /* Note the array keys */

foreach ($set as $params) {

    try {
        var_dump($stmt->execute($params), $stmt->fetchAll(PDO::FETCH_ASSOC));
    catch (Throwable $error) {
        echo $error->getMessage() . "\n";


Expected result:
If emulated PREPARE is enabled, an error "SQLSTATE[HY093]: Invalid parameter number: parameter was not defined" is issued. The same error should be thrown as an exception.

Actual result:
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(1) {
  array(2) {
    string(1) "a"
    string(1) "b"
array(0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-17 12:46 UTC]
-Status: Open +Status: Verified
 [2020-01-17 12:46 UTC]
This is closely related to bug #79132, but it's not quite a
duplicate, because removing the first two values of $set still
triggers the reported behavior.  The issue is that only the number
of elements are checked, not their keys, although the
documentation states[1]:

| The keys from input_parameters must match the ones declared in
| the SQL. Before PHP 5.2.0 this was silently ignored.

[1] <>
 [2020-01-22 20:34 UTC]
-Package: PDO related +Package: PDO MySQL
 [2020-01-22 20:34 UTC]
I think this bug is specific to pdo_mysql. At least, it's not an issue with pdo_sqlite. If helpful, I turned the test case into a .phpt file:
 [2020-12-10 14:29 UTC]
The problem here is that PDO does not propagate errors from EVT_ALLOC (which PDO MySQL correctly sets).

Fixing that would be one line, but then we run into the problem that PDO PgSQL already works around this by raising an impl error in EVT_ALLOC...
 [2020-12-10 14:53 UTC]
Automatic comment on behalf of
Log: Fixed bug #79131
 [2020-12-10 14:53 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Oct 02 06:01:24 2023 UTC