|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79276 PDO_API int pdo_parse_params() ignores any placeholder between two '\'
Submitted: 2020-02-15 00:19 UTC Modified: 2020-02-20 12:05 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: v-yitam at microsoft dot com Assigned:
Status: Verified Package: PDO Core
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
37 - 18 = ?
Subscribe to this entry?

 [2020-02-15 00:19 UTC] v-yitam at microsoft dot com
PDO_API int pdo_parse_params() in ext/pdo/ ignores (skips) any placeholder in between two backslashes `\` 

If I replaced the backslash `\` with forward slash '/' in the query, the query succeeded and returned the row as expected.

If the following line is removed the 'problem' is gone:

If this is intentional (by design), please explain or let us know if there is a workaround.

Test script:
$dbh = new PDO("sqlsrv:server=$server;Database = $db", $uid, $pwd);

$tableName = 'testPDO';
$create_sql = "CREATE TABLE $tableName(id int NOT NULL, langcode varchar(12), revision_id int, [path] nvarchar(255), [alias] nvarchar(255))"

$insert_sql = "INSERT INTO $tableName(id, langcode, revision_id, [path], [alias]) VALUES (4, 'en', 4, '/node/3', '/')";

$sql = "SELECT * FROM $tableName WHERE [path] LIKE :path ESCAPE '\' AND [langcode] like :lang ESCAPE '\'";
$args = [
    ':path' => '%node%',
    ':lang' => 'en'

$sth = $dbh->prepare($sql);
$row = $sth->fetch(PDO::FETCH_NUM);

Expected result:
array(5) {
  string(1) "4"
  string(2) "en"
  string(1) "4"
  string(7) "/node/3"
  string(1) "/"

Actual result:
PHP Fatal error:  Uncaught PDOException: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\Workspace\Test\pdo_1093.php:53


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-15 15:23 UTC]
-Status: Open +Status: Verified -Type: Feature/Change Request +Type: Bug
 [2020-02-15 15:23 UTC]
> If this is intentional (by design), please explain or let us
> know if there is a workaround.

These regexps have been introduced to fix[1] bug #41125 and bug
#44251.  Basically, sacrificing some compatibility with standard
SQL in favor of support for MySQL's proprietary backslash

Proper standard conforming rules would be something like

    (["](ANYNOEOF\["]|"")*["]) { RET(PDO_PARSER_TEXT); }
    (['](ANYNOEOF\[']|'')*[']) { RET(PDO_PARSER_TEXT); }

Obviously, this could break queries which use backslash escapes.

[1] <;a=commit;h=1f54af9245c35f2ffdc8c708da9c8552ecada4f8>
[2] <>
 [2020-02-19 16:18 UTC] v-yitam at microsoft dot com
Thanks for your prompt reply. Just wondering if this is going to be fixed or left as "by design"?
 [2020-02-19 20:04 UTC] beakerboy99 at yahoo dot com
I'm the person who originlly submitted this as a bug report to Microsoft, who then passed it on to the PHP-PDO team. I am updating the SQL Server driver for the Drupal CMS. Drupal uses backslash-escaped strings for LIKE expressions as its standard. SQL Server does not as its default, but can when specified in the expression as `field LIKE :parameter_x ESCAPE '\'`. When several LIKE expressions are used in one query, an exception is thrown. The Drupal core testsuite includes a test for this situation.

Other databases use the `ESCAPE '{delimiter}'` syntax, so this bug will likely affect those drivers as well.
 [2020-02-20 08:22 UTC]
Automatic comment from SVN on behalf of cmb
Log: Note that PDO parser supports backslash escapes

Cf. bug #79276.
 [2020-02-20 11:21 UTC]
Automatic comment from SVN on behalf of mumumu
Log: Note that PDO parser supports backslash escapes

Cf. bug #79276.
 [2020-02-20 12:04 UTC]
The following pull request has been associated:

Patch Name: Fix #79276: PDO ignores any placeholder between two '\'
On GitHub:
 [2020-02-20 12:05 UTC]
In my opionion, this should be fixed, but for BC reasons only for
PHP 8.  Let's see where the PR goes. :)
 [2020-02-20 17:26 UTC] v-yitam at microsoft dot com
Thank you I've verified that this fix solves the problem. Glad to hear that this PR is planned to be merged (despite the wait ;) )
 [2020-11-12 17:19 UTC] sartorua at gmail dot com
Is there any milestone or roadmap where it will be fixed?
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Aug 03 21:01:25 2021 UTC