php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80355 Prepared statement broke with \ and -- characters
Submitted: 2020-11-12 16:17 UTC Modified: 2020-11-12 16:47 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: sartorua at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO PgSQL
PHP Version: 7.4.12 OS: Ubuntu 20.04
Private report: No CVE-ID: None
 [2020-11-12 16:17 UTC] sartorua at gmail dot com
Description:
------------
SQL statement parser don't work with prepared parameters if SQL query string contains \ and -- characters (order matters).
PHP produces error:

Exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: :e'

Test script:
---------------
$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$s = $pdo->prepare("SELECT v FROM (VALUES ('\'),('--')) AS u (v) WHERE u.v = :e");
$s->execute([':e' => 'foo']);
$s->fetchAll();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 16:35 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-12 16:35 UTC] cmb@php.net
This is a duplicate of bug #79276.
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
-Status: Duplicate +Status: Open -Package: PDO related +Package: PDO PgSQL
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
New minimal test code:

$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$pdo->prepare("SELECT '\', '--' WHERE 'q' = :e")->execute([':e' => 'q']);
 [2020-11-12 16:47 UTC] cmb@php.net
-Status: Open +Status: Duplicate
 [2020-11-12 16:47 UTC] cmb@php.net
Still a duplicate.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Aug 03 22:01:28 2021 UTC