ID: 35001
Updated by: [EMAIL PROTECTED]
Reported By: antleclercq at online dot fr
-Status: Open
+Status: Feedback
Bug Type: PDO related
Operating System: Win2000
PHP Version: 5CVS-2005-10-27 (snap)
New Comment:
Add var_dump($sql); just before $res->prepare() and paste the output
here.
Previous Comments:
------------------------------------------------------------------------
[2005-10-27 16:26:11] antleclercq at online dot fr
Description:
------------
Hi,
I get this stange bug with the following code. I thought it was fixed
when I read the bug report: bugs.php.net/?id=34861, but it seems only
partially.
Create the folowing table in a "test" db under mysql :
CREATE TABLE `test` (
`id` int(11) NOT NULL default '0',
`test1` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `test` VALUES (1, 'test', '');
Using the code below, try posting the following string :
x"'"x:a
(magic_quotes_gpc is on)
I took the latest snapshot for Win2000.
Info : that doesn't crash when using $db->exec($sql).
Antoine
Reproduce code:
---------------
<?php
if (isset($_POST))
{
$string = $_POST["string"];
$db = new PDO("mysql:dbname=test;host=localhost", "##user##",
"##password##");
$sql = "UPDATE test SET test1 = '".$string."' WHERE id = '1'";
$res = $db->prepare($sql);
$res->execute();
}
?>
<form action="" method="POST">
<input type="text" value="<?php if (isset($_POST)){echo
$_POST["string"];}?>" name="string">
</form>
Expected result:
----------------
It should update the record.
Actual result:
--------------
Warning: PDOStatement::execute() [function.execute]: SQLSTATE[HY093]:
Invalid parameter number: no parameters were bound in C:\Program
Files\Apache Group\Apache2\htdocs\test.php on line 16
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35001&edit=1
