php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80340 PDO incorrectly parses string literals for platforms other than MySQL
Submitted: 2020-11-08 19:31 UTC Modified: 2020-11-08 21:35 UTC
From: morozov at tut dot by Assigned: cmb (profile)
Status: Duplicate Package: PDO Core
PHP Version: 7.4.12 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: morozov at tut dot by
New email:
PHP Version: OS:

 

 [2020-11-08 19:31 UTC] morozov at tut dot by
Description:
------------
When extracting prepared statement parameters, the SQL parser doesn't take into account the dialect of the currently used database platform.

Specifically, it unconditionally expects string literals to use backslash for escaping the closing delimiter (single or double quote), although it's only supported by MySQL. It causes incorrect query parsing on other platforms (e.g. PostgreSQL).

In the following script, the parser interprets the combination of the backslash and the quote as part of the literal, so the following question mark gets replaced with the $1 placeholder, however, it should remain intact as part of the literal.

Test script:
---------------
$conn = new PDO('pgsql:...');

$sql = <<<'SQL'
SELECT '\'', ?'
SQL;

$stmt = $conn->prepare($sql);
$stmt->execute();
var_dump($stmt->fetchColumn());

Expected result:
----------------
postgres=# SELECT '\'', ?';
 ?column? 
----------
 \', ?
(1 row)


Actual result:
--------------
\', $1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-08 21:35 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-08 21:35 UTC] cmb@php.net
Duplicate of bug #79276.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Oct 19 10:03:36 2021 UTC