php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79276 PDO_API int pdo_parse_params() ignores any placeholder between two '\'
Submitted: 2020-02-15 00:19 UTC Modified: 2020-02-20 12:05 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: v-yitam at microsoft dot com Assigned:
Status: Verified Package: PDO Core
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
40 + 32 = ?
Subscribe to this entry?

 
 [2020-02-15 00:19 UTC] v-yitam at microsoft dot com
Description:
------------
PDO_API int pdo_parse_params() in ext/pdo/pdo_sql_parser.re ignores (skips) any placeholder in between two backslashes `\` 

If I replaced the backslash `\` with forward slash '/' in the query, the query succeeded and returned the row as expected.

If the following line is removed the 'problem' is gone:
https://github.com/php/php-src/blob/master/ext/pdo/pdo_sql_parser.re#L59

If this is intentional (by design), please explain or let us know if there is a workaround.



Test script:
---------------
$dbh = new PDO("sqlsrv:server=$server;Database = $db", $uid, $pwd);

$tableName = 'testPDO';
$create_sql = "CREATE TABLE $tableName(id int NOT NULL, langcode varchar(12), revision_id int, [path] nvarchar(255), [alias] nvarchar(255))"
$dbh->exec($create_sql1);

$insert_sql = "INSERT INTO $tableName(id, langcode, revision_id, [path], [alias]) VALUES (4, 'en', 4, '/node/3', '/')";
$dbh->exec($insert_sql);

$sql = "SELECT * FROM $tableName WHERE [path] LIKE :path ESCAPE '\' AND [langcode] like :lang ESCAPE '\'";
$args = [
    ':path' => '%node%',
    ':lang' => 'en'
];

$sth = $dbh->prepare($sql);
$sth->execute($args);
$row = $sth->fetch(PDO::FETCH_NUM);
var_dump($row);


Expected result:
----------------
array(5) {
  [0]=>
  string(1) "4"
  [1]=>
  string(2) "en"
  [2]=>
  string(1) "4"
  [3]=>
  string(7) "/node/3"
  [4]=>
  string(1) "/"
}


Actual result:
--------------
PHP Fatal error:  Uncaught PDOException: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\Workspace\Test\pdo_1093.php:53

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-15 15:23 UTC] cmb@php.net
-Status: Open +Status: Verified -Type: Feature/Change Request +Type: Bug
 [2020-02-15 15:23 UTC] cmb@php.net
> If this is intentional (by design), please explain or let us
> know if there is a workaround.

These regexps have been introduced to fix[1] bug #41125 and bug
#44251.  Basically, sacrificing some compatibility with standard
SQL in favor of support for MySQL's proprietary backslash
escaping[2].

Proper standard conforming rules would be something like

    (["](ANYNOEOF\["]|"")*["]) { RET(PDO_PARSER_TEXT); }
    (['](ANYNOEOF\[']|'')*[']) { RET(PDO_PARSER_TEXT); }

Obviously, this could break queries which use backslash escapes.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=1f54af9245c35f2ffdc8c708da9c8552ecada4f8>
[2] <https://dev.mysql.com/doc/refman/8.0/en/string-literals.html>
 [2020-02-19 16:18 UTC] v-yitam at microsoft dot com
Thanks for your prompt reply. Just wondering if this is going to be fixed or left as "by design"?
 [2020-02-19 20:04 UTC] beakerboy99 at yahoo dot com
I'm the person who originlly submitted this as a bug report to Microsoft, who then passed it on to the PHP-PDO team. I am updating the SQL Server driver for the Drupal CMS. Drupal uses backslash-escaped strings for LIKE expressions as its standard. SQL Server does not as its default, but can when specified in the expression as `field LIKE :parameter_x ESCAPE '\'`. When several LIKE expressions are used in one query, an exception is thrown. The Drupal core testsuite includes a test for this situation.

Other databases use the `ESCAPE '{delimiter}'` syntax, so this bug will likely affect those drivers as well.
 [2020-02-20 08:22 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=349240
Log: Note that PDO parser supports backslash escapes

Cf. bug #79276.
 [2020-02-20 11:21 UTC] mumumu@php.net
Automatic comment from SVN on behalf of mumumu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=349243
Log: Note that PDO parser supports backslash escapes

Cf. bug #79276.
 [2020-02-20 12:04 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79276: PDO ignores any placeholder between two '\'
On GitHub:  https://github.com/php/php-src/pull/5190
Patch:      https://github.com/php/php-src/pull/5190.patch
 [2020-02-20 12:05 UTC] cmb@php.net
In my opionion, this should be fixed, but for BC reasons only for
PHP 8.  Let's see where the PR goes. :)
 [2020-02-20 17:26 UTC] v-yitam at microsoft dot com
Thank you I've verified that this fix solves the problem. Glad to hear that this PR is planned to be merged (despite the wait ;) )
 [2020-11-12 17:19 UTC] sartorua at gmail dot com
Is there any milestone or roadmap where it will be fixed?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC