Bug #54551 [Bgs]: pdo_mysql_stmt_get_col() converts DB integer to string

Sun, 17 Apr 2011 13:20:16 -0700 

Edit report at http://bugs.php.net/bug.php?id=54551&edit=1

 ID:                 54551
 User updated by:    php_nospam at ramihyn dot sytes dot net
 Reported by:        php_nospam at ramihyn dot sytes dot net
 Summary:            pdo_mysql_stmt_get_col() converts DB integer to
                     string
 Status:             Bogus
 Type:               Bug
 Package:            MySQL related
 Operating System:   Any
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N

 New Comment:

This misbehaviour effectively renders pdo_mysql useless since 3 years,
and using the functions from the mysql extension is more likely
vulnerable to sql injection attacks.



Stating this is Bogus or Irrelevant doesnt sound much like a solution
making php and php applications more secure.


Previous Comments:
------------------------------------------------------------------------
[2011-04-17 22:05:29] php_nospam at ramihyn dot sytes dot net

Yeah well, its a bug that pdo/pdo_mysql have for at least 3 years now.

http://bugs.php.net/bug.php?id=44341 was set to Bogus claiming it was
not a PDO core bug.



So you're trying to tell me its irrelevant that PHP's next generation
database interface cant event transport an int(11) from database to a
variable without converting it to a string?



As mysql_fetch_assoc() handles integers correctly by not converting them
to a string, it really shouldnt be that hard for pdo_mysql to do the
same.

------------------------------------------------------------------------
[2011-04-17 20:36:34] [email protected]

.

------------------------------------------------------------------------
[2011-04-17 20:36:11] [email protected]

The issue actually is that PDO by default uses emulation of prepared
statements. Only native prepared statements use the binary protocol
which keeps the proper types.

------------------------------------------------------------------------
[2011-04-17 19:22:21] php_nospam at ramihyn dot sytes dot net

Description:
------------
pdo_mysql_stmt_get_col() returns a string instead of an integer obtained
from the database. This happens with the pdo_mysql extension included in
the PHP download section as well as on my Ubuntu box.



Looking at mysql_statement.c from the pdo_mysql source shows, that it
returns a ZVAL reference instead of a string when compiled with mysqlnd,
so if i may ask: why isnt it the default to compile with mysqlnd?



Test script:
---------------
<?php

$mysql = new PDO('mysql:host=localhost;dbname=test', 'root', '');

$mysql->setAttribute(PDO::ATTR_STRINGIFY_FETCHES, false);



var_dump($mysql->query('SELECT 42')->fetch(PDO::FETCH_NUM));

?>





Expected result:
----------------
array(1) {

  [0]=>

  int(42)

}



Actual result:
--------------
array(1) {

  [0]=>

  string(2) "42"

}




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=54551&edit=1

Reply via email to