|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80355 Prepared statement broke with \ and -- characters
Submitted: 2020-11-12 16:17 UTC Modified: 2020-11-12 16:47 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: sartorua at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO PgSQL
PHP Version: 7.4.12 OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: sartorua at gmail dot com
New email:
PHP Version: OS:


 [2020-11-12 16:17 UTC] sartorua at gmail dot com
SQL statement parser don't work with prepared parameters if SQL query string contains \ and -- characters (order matters).
PHP produces error:

Exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: :e'

Test script:
$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$s = $pdo->prepare("SELECT v FROM (VALUES ('\'),('--')) AS u (v) WHERE u.v = :e");
$s->execute([':e' => 'foo']);


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 16:35 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-12 16:35 UTC]
This is a duplicate of bug #79276.
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
-Status: Duplicate +Status: Open -Package: PDO related +Package: PDO PgSQL
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
New minimal test code:

$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$pdo->prepare("SELECT '\', '--' WHERE 'q' = :e")->execute([':e' => 'q']);
 [2020-11-12 16:47 UTC]
-Status: Open +Status: Duplicate
 [2020-11-12 16:47 UTC]
Still a duplicate.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Apr 25 05:01:33 2024 UTC