ID: 40740 Updated by: [EMAIL PROTECTED] Reported By: phpbugs at filofox dot com Status: Assigned Bug Type: PDO related Operating System: Linux Debian Sarge 3.1 PHP Version: 5.2.1 Assigned To: wez New Comment:
Well there is no way to hint to MySQL if something is a string or not using emulate_prepare. What I think could make sense is for MySQL to look at the type though. So that: $foo = '1'; // quoted as a string $foo = 1; // interpreted as an integer and therefore not quoted This should be fine for security as well, since integers should not cause any SQL injection issues. Of course this would break any code where people try to insert an integer into a string column. But I think this would be very rare and the benefit would out weight the disadvantages. Previous Comments: ------------------------------------------------------------------------ [2007-03-23 15:12:20] [EMAIL PROTECTED] Emulation is wrong if it doesn't work. Numbers after LIMIT should not be quoted. ------------------------------------------------------------------------ [2007-03-07 09:54:18] [EMAIL PROTECTED] Use PDO::ATTR_EMULATE_PREPARES = false to turn off emulation of prepared statements. PDO_MYSQL uses it by default because native prepared statements in MySQL are quite limited - you can't use SHOW statements, for example. The documentation should mention it, though. Reclassified as docu problem. ------------------------------------------------------------------------ [2007-03-06 17:13:44] phpbugs at filofox dot com Description: ------------ The following emerged after upgrading from 5.2.0 to 5.2.1 and has been checked in both versions: the error only occurs in 5.2.1 . When passing parameters into a LIMIT clause using PDO::execute(), it appears that PDO is quoting the parameters, which causes MYSQL to throw an error. FYI: PDO_MYSQL is built against MySQL client library 5.0.18. Reproduce code: --------------- $dbh = new PDO('mysql:localhost;dbname=my_db', 'user', '' ); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); try{ $query = $dbh->prepare( 'SELECT * FROM some_table LIMIT :start, :limit' ); if ( $query->execute ( array ( 'start' => 0, 'limit' => 10 ) ) ) { while ( $row = $query->fetch ( PDO::FETCH_ASSOC ) ) { print_r($row); } $query->closeCursor(); } } catch( Exception $e ){ print_r( $e ); } Expected result: ---------------- A number of rows are returned. Actual result: -------------- An exception is thrown: PDOException Object ( [message:protected] => SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0', '10'' at line 1 [string:private] => [code:protected] => 42000 [file:protected] => [my_file].php [line:protected] => 19 [trace:private] => Array ( [0] => Array ( [file] => [my_file].php [line] => 19 [function] => execute [class] => PDOStatement [type] => -> [args] => Array ( [0] => Array ( [start] => 0 [limit] => 10 ) ) ) ) [errorInfo] => Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0', '10'' at line 1 ) ) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40740&edit=1