ID: 44390 Updated by: [EMAIL PROTECTED] Reported By: pumuckel at metropolis dot de -Status: Open +Status: Assigned Bug Type: MySQLi related Operating System: Linux Gentoo PHP Version: 5.2.5 -Assigned To: +Assigned To: andrey New Comment:
I get the following with mysqli/mysqlnd, which seems correct, except for the reference, but I have to investigate whether this is incorrect. There is no memory error it seems. Test 1: object(foo)#1 (1) { ["bar"]=> string(6) "foobar" } object(foo)#1 (1) { ["bar"]=> &string(6) "foobar" } foobar Test 2: object(foo)#1 (1) { ["bar"]=> string(6) "foobar" } object(foo)#1 (1) { ["bar"]=> &string(6) "foobar" } foobar - 0 Test 3: object(foo)#1 (1) { ["bar"]=> int(0) } object(foo)#1 (1) { ["bar"]=> &int(0) } 0 - 0 ---------------------------------- mysqli/libmysql gives the following, one sees that there is something wrong Test 1: object(foo)#1 (1) { ["bar"]=> string(6) "foobar" } object(foo)#1 (1) { ["bar"]=> &string(6) "foobar" } foobar Test 2: object(foo)#1 (1) { ["bar"]=> string(6) "foobar" } object(foo)#1 (1) { ["bar"]=> &string(6) "foobar" } ZZZZZZ - 0 Test 3: object(foo)#1 (1) { ["bar"]=> int(0) } object(foo)#1 (1) { ["bar"]=> &int(0) } 139797916 - 0 Assigning to myself Previous Comments: ------------------------------------------------------------------------ [2008-03-10 09:21:26] pumuckel at metropolis dot de Description: ------------ Mysqli bind_param and bind_result functions are changing object member variables to be references with strange side affects. a) I expect the object to keep the member variable types as is. Currently they change to reference variables with the result of strange side effects when you do not keep this in mind. We have to clone objects before using them for bindings, right now - this is a working workaround. I vote for a bug, at least it should be documented. b) I expect binding on the same variable with different types working. Currently I can manage to get a memory access to arbitrary data, possibly leading to a segmentation fault or security violation. Again, I vote for a bug. Reproduce code: --------------- <?php $hostname = "localhost"; $username = "dbuser"; $password = "dbpassword"; $dbname = "dbname"; class foo { // @var $bar string public $bar; } $foo = new foo; $foo->bar = "foobar"; $db = new mysqli($hostname, $username, $password, $dbname); echo "Test 1: \n"; $stmt = $db->prepare("SELECT ? FOO"); var_dump($foo); // here you can see the bar member var beeing a string $stmt->bind_param("s", $foo->bar); var_dump($foo); // this will show $foo->bar beeing a reference string $stmt->bind_result($one); $stmt->execute(); $stmt->fetch(); $stmt->free_result(); echo("$one\n\n"); // it is getting worse. Binding the same var twice with different // types you can get unexpected results (e.g. binary trash for the // string and misc data for the integer. See next 2 tests. echo "Test 2: \n"; $stmt = $db->prepare("SELECT ? FOO, ? BAR"); var_dump($foo); $stmt->bind_param("si", $foo->bar, $foo->bar); var_dump($foo); $stmt->bind_result($one, $two); $stmt->execute(); $stmt->fetch(); $stmt->free_result(); echo("$one - $two\n\n"); echo "Test 3: \n"; $stmt = $db->prepare("SELECT ? FOO, ? BAR"); var_dump($foo); $stmt->bind_param("is", $foo->bar, $foo->bar); var_dump($foo); $stmt->bind_result($one, $two); $stmt->execute(); $stmt->fetch(); $stmt->free_result(); echo("$one - $two\n\n"); ?> Expected result: ---------------- Test 1: object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } foobar Test 2: object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } foobar - 0 Test 3: object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } 0 - foobar Actual result: -------------- Test 1: object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } object(foo)#5 (1) { ["bar"]=> &string(6) "foobar" } foobar Test 2: object(foo)#5 (1) { ["bar"]=> string(6) "foobar" } object(foo)#5 (1) { ["bar"]=> &string(6) "foobar" } �Pbar - 0 Test 3: object(foo)#5 (1) { ["bar"]=> int(0) } object(foo)#5 (1) { ["bar"]=> &int(0) } 140653124 - 0 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44390&edit=1