ID: 40740
Updated by: [EMAIL PROTECTED]
Reported By: phpbugs at filofox dot com
Status: Assigned
Bug Type: PDO related
Operating System: Linux Debian Sarge 3.1
PHP Version: 5.2.1
Assigned To: wez
New Comment:
Well there is no way to hint to MySQL if something is a string or not
using emulate_prepare. What I think could make sense is for MySQL to
look at the type though.
So that:
$foo = '1'; // quoted as a string
$foo = 1; // interpreted as an integer and therefore not quoted
This should be fine for security as well, since integers should not
cause any SQL injection issues.
Of course this would break any code where people try to insert an
integer into a string column. But I think this would be very rare and
the benefit would out weight the disadvantages.
Previous Comments:
------------------------------------------------------------------------
[2007-03-23 15:12:20] [EMAIL PROTECTED]
Emulation is wrong if it doesn't work. Numbers after LIMIT should not
be quoted.
------------------------------------------------------------------------
[2007-03-07 09:54:18] [EMAIL PROTECTED]
Use PDO::ATTR_EMULATE_PREPARES = false to turn off emulation of
prepared statements.
PDO_MYSQL uses it by default because native prepared statements in
MySQL are quite limited - you can't use SHOW statements, for example.
The documentation should mention it, though.
Reclassified as docu problem.
------------------------------------------------------------------------
[2007-03-06 17:13:44] phpbugs at filofox dot com
Description:
------------
The following emerged after upgrading from 5.2.0 to 5.2.1 and has been
checked in both versions: the error only occurs in 5.2.1 .
When passing parameters into a LIMIT clause using PDO::execute(), it
appears that PDO is quoting the parameters, which causes MYSQL to throw
an error.
FYI: PDO_MYSQL is built against MySQL client library 5.0.18.
Reproduce code:
---------------
$dbh = new PDO('mysql:localhost;dbname=my_db', 'user', '' );
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try{
$query = $dbh->prepare( 'SELECT * FROM some_table LIMIT :start,
:limit' );
if ( $query->execute ( array ( 'start' => 0, 'limit' => 10 ) ) )
{
while ( $row = $query->fetch ( PDO::FETCH_ASSOC ) )
{
print_r($row);
}
$query->closeCursor();
}
} catch( Exception $e ){
print_r( $e );
}
Expected result:
----------------
A number of rows are returned.
Actual result:
--------------
An exception is thrown:
PDOException Object
(
[message:protected] => SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near ''0', '10'' at line 1
[string:private] =>
[code:protected] => 42000
[file:protected] => [my_file].php
[line:protected] => 19
[trace:private] => Array
(
[0] => Array
(
[file] => [my_file].php
[line] => 19
[function] => execute
[class] => PDOStatement
[type] => ->
[args] => Array
(
[0] => Array
(
[start] => 0
[limit] => 10
)
)
)
)
[errorInfo] => Array
(
[0] => 42000
[1] => 1064
[2] => You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''0', '10'' at line 1
)
)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40740&edit=1
