php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80355 Prepared statement broke with \ and -- characters
Submitted: 2020-11-12 16:17 UTC Modified: 2020-11-12 16:47 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: sartorua at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO PgSQL
PHP Version: 7.4.12 OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
44 + 4 = ?
Subscribe to this entry?

 
 [2020-11-12 16:17 UTC] sartorua at gmail dot com 
Description:
------------
SQL statement parser don't work with prepared parameters if SQL query string contains \ and -- characters (order matters).
PHP produces error:

Exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: :e'

Test script:
---------------
$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$s = $pdo->prepare("SELECT v FROM (VALUES ('\'),('--')) AS u (v) WHERE u.v = :e");
$s->execute([':e' => 'foo']);
$s->fetchAll();

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 16:35 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-12 16:35 UTC] cmb@php.net 
This is a duplicate of bug #79276.
 [2020-11-12 16:38 UTC] sartorua at gmail dot com
-Status: Duplicate +Status: Open -Package: PDO related +Package: PDO PgSQL
 [2020-11-12 16:38 UTC] sartorua at gmail dot com 
New minimal test code:

$pdo = new \PDO('pgsql:host=localhost;dbname=postgres', 'postgres', 'postgres');
$pdo->prepare("SELECT '\', '--' WHERE 'q' = :e")->execute([':e' => 'q']);
 [2020-11-12 16:47 UTC] cmb@php.net
-Status: Open +Status: Duplicate
 [2020-11-12 16:47 UTC] cmb@php.net 
Still a duplicate.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 23:01:28 2024 UTC