php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81040 Native pass-by-ref in mysqli_stmt::bind_param leaks reference
Submitted: 2021-05-13 16:30 UTC Modified: 2021-05-26 19:56 UTC
From: dharman@php.net Assigned: cmb (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: 8.0.6 OS: Windows 10
Private report: No CVE-ID: None
 [2021-05-13 16:30 UTC] dharman@php.net
Description:
------------
Native pass-by-reference makes elements of an array referenced. Tested with mysqli_stmt::bind_param. This results in inadvertent changes to follow up code, e.g. results from array_diff()

I don't know if it's intended behaviour or if not then which component this is related to. Additionally, should the reference leak through array_diff()?

Test online: https://phpize.online/?phpses=6fd2785a4408856aa1fc2aba245d05bc&sqlses=null&php_version=php8&sql_version=mysql57

Test script:
---------------
<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'user', 'password', 'test');

function a(&$a, &$b, &$c)
{
    $a = 3;
}

$foo = [1, 2, 3];
$bar = [3, 4, 5];

$stmt = $mysqli->prepare("SELECT ?,?,?");

// What's the difference between this
$stmt->bind_param('sss', $foo[0], $foo[1], $foo[2]);
// and this
a($foo[0], $foo[1], $foo[2]);

$diff = array_diff($foo, $bar);
$foo[1] = 'hi';
var_dump($diff);

Expected result:
----------------
array(1) {
  [1] =>
  int(2)
}

Actual result:
--------------
array(1) {
  [1] =>
  string(2) "hi"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-21 12:52 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-05-21 12:52 UTC] cmb@php.net
This doesn't appear to be particularly related to PHP 8.0.

Anyway, what is the behavior with libmysql-client.  It seems to me
that would yield the expected behavior.
 [2021-05-21 13:31 UTC] cmb@php.net
That "reference leak" is by design, to allow rebinding of the
parameters like demonstrated in the first example for
mysqli_stmt::execute()[1].

If MySQLi built against libmysql-client behaves differently, that
was a bug.

[1] <https://www.php.net/manual/en/mysqli-stmt.execute.php#refsect1-mysqli-stmt.execute-examples>
 [2021-05-26 19:56 UTC] dharman@php.net
-Status: Feedback +Status: Not a bug
 [2021-05-26 19:56 UTC] dharman@php.net
As explained by CMB this is not a bug, at least not when compiled with mysqlnd
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jun 18 02:01:23 2021 UTC