Edit report at https://bugs.php.net/bug.php?id=63972&edit=1
ID: 63972
Updated by: johan...@php.net
Reported by: denis dot gasparin at edistar dot com
Summary: Incorrect escape of query when using
PDO::ATTR_EMULATE_PREPARES
-Status: Open
+Status: Duplicate
Type: Bug
Package: PDO related
Operating System: Linux
PHP Version: 5.3.20
Block user comment: N
Private report: N
New Comment:
This is a known limitation in the PDO statement parser.
Previous Comments:
------------------------------------------------------------------------
[2013-01-11 18:14:46] denis dot gasparin at edistar dot com
Description:
------------
I have a table with two varchar fields:
create table test(
a varchar,
b varchar
);
When I execute an insert query where the following conditions are met:
- the first field contains a string like this \\''a
- the second field containts a ? character
- the PDO attribute PDO::ATTR_EMULATE_PREPARES is passed to PDO::prepare method
I get the following error:
Invalid parameter number: no parameters were bound in php shell code on line 1
I don't know if the problem is bound to postgresql databases only or other ones.
Test script:
---------------
$db = new PDO("pgsql:host=localhost;port=5432;dbname=test;");
$sql = "insert into test values ('\\''a','?')";
$res =
$db->prepare($sql,array(PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT =>
1));
$res->execute();
Expected result:
----------------
The query should be executed correctly
Actual result:
--------------
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: no
parameters were bound in php shell code on line 1
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=63972&edit=1
