Issue Type: Bug Created: 2009-09-28T18:02:00.000+0000 Last Updated: 2009-11-05T00:28:42.000+0000 Status: Closed Fix version(s): Reporter: Lysender (lysender) Assignee: Ramon Henrique Ornelas (ramon) Tags: - Zend_Db_Select
Related issues: - ZF-1343
I also tried this on ZF 1.9.3 and the bug exists. I have this setup:
$table = $this->_getTable(); $select = $table->select() ->where('Data_Division = ?', $category) ->where('Name = ?', $name);
Where $name is a string, and should accept any kind of patterns. It we enter '\? for name
'\? '\? '\? Single Quote: Slash: Question Mark Single Quote: Slash: Question Mark Single Quote: Slash: Question Mark
Here is the error:
2009-09-28T18:47:44+08:00 EMERG (0): firstname.lastname@example.org: Application error: SQLSTATE[HY093]: Invalid parameter number: no parameters were bound
It seems that binding parameters does not work properly of could be that input is not properly escaped. I have tried it also on login, still the same error occurs.
I tried on some ZF made websites like:
http://indianapolismotorspeedway.com/user/login/ Email: email@example.com Password: test'\?
Application error occurs
Is this a problem with PDO or with ZF?
// I'm sorry if I don't follow your Issue tracking rules, but I really have to post this.
Posted by Ramon Henrique Ornelas (ramon) on 2009-11-03T08:25:23.000+0000
Please, post sql creation table.
Try take the generated string, object Zend_Db_Select.
echo $select; exit;
Try running on a client bd, the generated string by Zend_Db_Select.
Posted by Jenny (jenny) on 2009-11-03T09:56:01.000+0000
I have seen this error when data contains a single quote and a question mark somewhere after the single quote.
id int(11) unsigned NOT NULL auto_increment,
user_name varchar(64) NOT NULL,
password varchar(64) NOT NULL,
active tinyint(1) NOT NULL default '1', PRIMARY KEY (
id), UNIQUE KEY
user_name) ) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=utf8 ;
$user_name = "te'st?name"; $password = "bobo";
$select = $this->_table->select(); $select->from($this->_name, '*'); $select->where('user_name = ?', $user_name); $select->where('password = ?', md5($password));
$stmt = $select->query(); // Exception thrown at this point.
If I echo the $select I get the following:
users WHERE (user_name = 'te\'st?name') AND (password = 'ca2cd2bcc63c4d7c8725577442073dde')
The MySQL query log shows that this statement is never sent to the server. But the query is well-formed and MySQL will execute it properly if I run it manually.
Posted by Ramon Henrique Ornelas (ramon) on 2009-11-03T12:49:01.000+0000
Posted by Ramon Henrique Ornelas (ramon) on 2009-11-03T13:03:28.000+0000
Posted by Jenny (jenny) on 2009-11-03T13:53:45.000+0000
I get the same error either way since they both use a Statement.
The initial exception is a PDOException being thrown by the PDOStatement object within the Zend_Db_Statement_Pdo::_execute() method. So I suppose this is a PDO bug. The query produced by the Zend_Db_Select object is valid SQL.
Posted by Jenny (jenny) on 2009-11-03T14:27:52.000+0000
The servers on which I have seen this error are both using PHP 5.2.6. I have since tested on a server with 5.2.10, and this bug does not occur.
Posted by Lysender (lysender) on 2009-11-03T16:17:43.000+0000
I have recently tried it on PHP 5.2.10 (Zend Server CE) and the error does not occur. So therefore it is a PDO issue. I have upgraded our server already. Tnx
Have you found an issue?
See the Overview section for more details.