|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79269 Bundled SQLite is compiled without SQLITE_MAX_VARIABLE_NUMBER
Submitted: 2020-02-13 00:28 UTC Modified: 2020-12-22 16:52 UTC
From: effulgentsia1 at gmail dot com Assigned:
Status: Wont fix Package: PDO SQLite
PHP Version: 7.3.14 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: effulgentsia1 at gmail dot com
New email:
PHP Version: OS:


 [2020-02-13 00:28 UTC] effulgentsia1 at gmail dot com
PHP 7.4 unbundled the SQLite library, so benefits from how it was compiled on the system. Many systems (Mac OSX, Debian, Ubuntu, and others) compile it with SQLITE_MAX_VARIABLE_NUMBER=250000 or larger (

PHP 7.3 doesn't specify the flag (, so gets the low default of 999 (

It would be helpful if PHP 7.3 could match the Debian number, to make the test script work.

SQLite sets the default so low in order to prevent SQL injection attacks from allocating excessive memory on low memory embedded systems ( However, I don't think PHP is used on such systems, and a SQL injection attack in a PHP application can already do far more harm than merely allocating 18MB of memory (72 bytes * 250000).

I also filed a similar issue for Fedora (

Test script:
$large_array = range(0, 1000);

$db = new PDO('sqlite::memory:');
$placeholders = implode(', ', array_fill(0, count($large_array), '?'));
$stmt = $db->prepare("SELECT 1 WHERE 42 IN ($placeholders)");

Expected result:
It should output "bool(true)", indicating that the execute() statement executed. 

Actual result:
It outputs nothing, because the execute() statement passes more arguments than the 999 limit.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-13 19:47 UTC] effulgentsia1 at gmail dot com
I also opened as a related issue.
 [2020-12-22 16:52 UTC]
-Status: Open +Status: Wont fix
 [2020-12-22 16:52 UTC]
7.3 is no longer actively supported, 7.4 has unbundled sqlite, so this issue is no longer applicable.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Oct 01 23:01:24 2023 UTC