ID: 44251
Updated by: [EMAIL PROTECTED]
Reported By: om at viazenetti dot de
-Status: Open
+Status: Assigned
Bug Type: PDO related
Operating System: Linux
PHP Version: 5.2.5
-Assigned To:
+Assigned To: felipe
Previous Comments:
------------------------------------------------------------------------
[2008-10-01 17:26:03] tsteiner at nerdclub dot net
Here's a patch to PHP 5.2.6 that seems to both fix this bug and not
affect the test case in Bug #36798:
--- php-5.2.6/ext/pdo/pdo_sql_parser.re 2007-12-31 01:17:40.000000000
-0600
+++ php-5.2.6.fixed/ext/pdo/pdo_sql_parser.re 2008-09-08
11:06:39.000000000 -0500
@@ -55,8 +55,8 @@
*/
/*!re2c
- (["] ([^"])* ["]) { RET(PDO_PARSER_TEXT); }
- (['] ([^'])* [']) { RET(PDO_PARSER_TEXT); }
+ (["](([\\]ANYNOEOF)|ANYNOEOF\["\\])*["]) {
RET(PDO_PARSER_TEXT); }
+ (['](([\\]ANYNOEOF)|ANYNOEOF\['\\])*[']) {
RET(PDO_PARSER_TEXT); }
MULTICHAR{2,}
{ RET(PDO_PARSER_TEXT); }
BINDCHR {
RET(PDO_PARSER_BIND); }
QUESTION
{ RET(PDO_PARSER_BIND_POS); }
--- php-5.2.6/ext/pdo/pdo_sql_parser.c 2008-04-30 13:37:40.000000000
-0500
+++ php-5.2.6.fixed/ext/pdo/pdo_sql_parser.c 2008-09-08
11:06:43.000000000 -0500
@@ -1,4 +1,5 @@
-/* Generated by re2c 0.11.0 on Mon Nov 26 16:10:28 2007 */
+/* Generated by re2c 0.13.5 on Mon Sep 8 11:06:43 2008 */
+#line 1 "ext/pdo/pdo_sql_parser.re"
/*
+----------------------------------------------------------------------+
| PHP Version 5
|
@@ -17,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: pdo_sql_parser.c,v 1.35.2.6.2.15 2007/12/31 07:20:09 sebastian
Exp $ */
+/* $Id: pdo_sql_parser.re,v 1.28.2.4.2.12 2007/12/31 07:17:40
sebastian Exp $ */
#include "php.h"
#include "php_pdo_driver.h"
@@ -46,15 +47,17 @@
char *cursor = s->cur;
s->tok = cursor;
+ #line 55 "ext/pdo/pdo_sql_parser.re"
+#line 55 "ext/pdo/pdo_sql_parser.c"
{
YYCTYPE yych;
- if((YYLIMIT - YYCURSOR) < 2) YYFILL(2);
+ if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2);
yych = *YYCURSOR;
- switch(yych) {
+ switch (yych) {
case 0x00: goto yy11;
case '"': goto yy2;
case '\'': goto yy4;
@@ -63,16 +66,19 @@
default: goto yy8;
}
yy2:
- yych = *++YYCURSOR;
- goto yy24;
+ yych = *(YYMARKER = ++YYCURSOR);
+ if (yych >= 0x01) goto yy26;
yy3:
+#line 63 "ext/pdo/pdo_sql_parser.re"
{ SKIP_ONE(PDO_PARSER_TEXT); }
+#line 75 "ext/pdo/pdo_sql_parser.c"
yy4:
- yych = *++YYCURSOR;
+ yych = *(YYMARKER = ++YYCURSOR);
+ if (yych <= 0x00) goto yy3;
goto yy20;
yy5:
yych = *++YYCURSOR;
- switch(yych) {
+ switch (yych) {
case '0':
case '1':
case '2':
@@ -142,18 +148,20 @@
}
yy6:
++YYCURSOR;
- switch((yych = *YYCURSOR)) {
+ switch ((yych = *YYCURSOR)) {
case ':':
case '?': goto yy13;
default: goto yy7;
}
yy7:
+#line 62 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_BIND_POS); }
+#line 160 "ext/pdo/pdo_sql_parser.c"
yy8:
++YYCURSOR;
- if(YYLIMIT == YYCURSOR) YYFILL(1);
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
yych = *YYCURSOR;
- switch(yych) {
+ switch (yych) {
case 0x00:
case '"':
case '\'':
@@ -162,26 +170,32 @@
default: goto yy8;
}
yy10:
+#line 64 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_TEXT); }
+#line 176 "ext/pdo/pdo_sql_parser.c"
yy11:
++YYCURSOR;
+#line 65 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_EOI); }
+#line 181 "ext/pdo/pdo_sql_parser.c"
yy13:
++YYCURSOR;
- if(YYLIMIT == YYCURSOR) YYFILL(1);
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
yych = *YYCURSOR;
- switch(yych) {
+ switch (yych) {
case ':':
case '?': goto yy13;
default: goto yy15;
}
yy15:
+#line 60 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_TEXT); }
+#line 194 "ext/pdo/pdo_sql_parser.c"
yy16:
++YYCURSOR;
- if(YYLIMIT == YYCURSOR) YYFILL(1);
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
yych = *YYCURSOR;
- switch(yych) {
+ switch (yych) {
case '0':
case '1':
case '2':
@@ -248,32 +262,58 @@
default: goto yy18;
}
yy18:
+#line 61 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_BIND); }
+#line 268 "ext/pdo/pdo_sql_parser.c"
yy19:
++YYCURSOR;
- if(YYLIMIT == YYCURSOR) YYFILL(1);
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
yych = *YYCURSOR;
yy20:
- switch(yych) {
- case '\'': goto yy21;
+ switch (yych) {
+ case 0x00: goto yy21;
+ case '\'': goto yy23;
+ case '\\': goto yy22;
default: goto yy19;
}
yy21:
+ YYCURSOR = YYMARKER;
+ goto yy3;
+yy22:
++YYCURSOR;
- { RET(PDO_PARSER_TEXT); }
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
+ yych = *YYCURSOR;
+ if (yych <= 0x00) goto yy21;
+ goto yy19;
yy23:
++YYCURSOR;
- if(YYLIMIT == YYCURSOR) YYFILL(1);
+#line 59 "ext/pdo/pdo_sql_parser.re"
+ { RET(PDO_PARSER_TEXT); }
+#line 293 "ext/pdo/pdo_sql_parser.c"
+yy25:
+ ++YYCURSOR;
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
yych = *YYCURSOR;
-yy24:
- switch(yych) {
- case '"': goto yy25;
- default: goto yy23;
+yy26:
+ switch (yych) {
+ case 0x00: goto yy21;
+ case '"': goto yy28;
+ case '\\': goto yy27;
+ default: goto yy25;
}
-yy25:
+yy27:
+ ++YYCURSOR;
+ if (YYLIMIT <= YYCURSOR) YYFILL(1);
+ yych = *YYCURSOR;
+ if (yych <= 0x00) goto yy21;
+ goto yy25;
+yy28:
++YYCURSOR;
+#line 58 "ext/pdo/pdo_sql_parser.re"
{ RET(PDO_PARSER_TEXT); }
+#line 315 "ext/pdo/pdo_sql_parser.c"
}
+#line 66 "ext/pdo/pdo_sql_parser.re"
}
------------------------------------------------------------------------
[2008-09-09 14:38:35] om at viazenetti dot de
Nice, after almost seven months, this bug still exists and no one cares
about it?
------------------------------------------------------------------------
[2008-09-05 17:59:42] tsteiner at nerdclub dot net
This bug is a direct result of the fix for Bug #36798.
The patch for that bug removed code in the parser that would ignore an
escaped quote when inside of quotes (ie: "foo\"bar" or 'foo\'bar').
This causes the parser to think it has found the end of quoted text,
when it has not. Because of this, ? characters after an escaped quote
are treated as placeholders. Additionally, I have found it causes the
parser to parse beyond the end of the query and into unknown memory
contents.
It looks like Bug #36798 needs to be reopened!
------------------------------------------------------------------------
[2008-02-26 11:11:13] om at viazenetti dot de
Description:
------------
If a question mark and an escaped singel quote appear in a where
statement as value, the PDO method prepare tries to bind a value to the
question mark.
Because no values are passed, pdo throws an exception (Only tested with
where statements):
PDOStatement::execute() [function.PDOStatement-execute]:
SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in
Reproduce code:
---------------
<?php
$db = new PDO('mysql:host=localhost;dbname=DATABASE', 'USER',
'PASSWORD');
$sth = $db->prepare("SELECT * FROM `TABLE` WHERE (login =
'?\'')");
$sth->execute();
var_dump($sth->fetch());
Expected result:
----------------
Array or false
Actual result:
--------------
Exception: PDOStatement::execute() [function.PDOStatement-execute]:
SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=44251&edit=1
