bind_result and Object member variables

andrey Thu, 20 Mar 2008 08:46:39 -0700

 ID:               44390
 Updated by:       [EMAIL PROTECTED]
 Reported By:      pumuckel at metropolis dot de
-Status:           Assigned
+Status:           Closed
 Bug Type:         MySQLi related
 Operating System: Linux Gentoo
 PHP Version:      5.2.5
 Assigned To:      andrey
 New Comment:


This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.3.0-dev
The original variables passed for parameter binding won't be changed
anymore if there is a type conversion to be performed like:
$str = "fubar"
bind_param("i", $str);
// here $str used to be 0, after the fix it will be "fubar" again
The reference counting is needed because the variable used for param
binding should not be freed, in case the script loses the last reference
to it. Otherwise mysqli will point to nirvana and might crash.


Previous Comments:
------------------------------------------------------------------------

[2008-03-18 17:37:26] [EMAIL PROTECTED]

Ohje, there is a problem, valgrind cries :

==22493== Invalid read of size 1
==22493==    at 0x40245A1: memcpy (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x412563F: store_param_str (libmysql.c:2389)
==22493==    by 0x41257D6: store_param (libmysql.c:2443)
==22493==    by 0x4125CD0: cli_stmt_execute (libmysql.c:2544)
==22493==    by 0x412643F: mysql_stmt_execute (libmysql.c:2856)
==22493==    by 0x80FE3EB: zif_mysqli_stmt_execute (mysqli_api.c:734)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==  Address 0x4F7BE9D is 5 bytes inside a block of size 7
free'd
==22493==    at 0x402243F: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x82B65AB: _efree (zend_alloc.c:2291)
==22493==    by 0x82D4098: convert_to_long_base (zend_operators.c:353)
==22493==    by 0x82D3F1F: convert_to_long (zend_operators.c:325)
==22493==    by 0x80FE3A6: zif_mysqli_stmt_execute (mysqli_api.c:723)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==
==22493== Invalid read of size 1
==22493==    at 0x40245A9: memcpy (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x412563F: store_param_str (libmysql.c:2389)
==22493==    by 0x41257D6: store_param (libmysql.c:2443)
==22493==    by 0x4125CD0: cli_stmt_execute (libmysql.c:2544)
==22493==    by 0x412643F: mysql_stmt_execute (libmysql.c:2856)
==22493==    by 0x80FE3EB: zif_mysqli_stmt_execute (mysqli_api.c:734)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==  Address 0x4F7BE9C is 4 bytes inside a block of size 7
free'd
==22493==    at 0x402243F: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x82B65AB: _efree (zend_alloc.c:2291)
==22493==    by 0x82D4098: convert_to_long_base (zend_operators.c:353)
==22493==    by 0x82D3F1F: convert_to_long (zend_operators.c:325)
==22493==    by 0x80FE3A6: zif_mysqli_stmt_execute (mysqli_api.c:723)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==
==22493== Invalid read of size 1
==22493==    at 0x40245B0: memcpy (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x412563F: store_param_str (libmysql.c:2389)
==22493==    by 0x41257D6: store_param (libmysql.c:2443)
==22493==    by 0x4125CD0: cli_stmt_execute (libmysql.c:2544)
==22493==    by 0x412643F: mysql_stmt_execute (libmysql.c:2856)
==22493==    by 0x80FE3EB: zif_mysqli_stmt_execute (mysqli_api.c:734)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==  Address 0x4F7BE9B is 3 bytes inside a block of size 7
free'd
==22493==    at 0x402243F: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x82B65AB: _efree (zend_alloc.c:2291)
==22493==    by 0x82D4098: convert_to_long_base (zend_operators.c:353)
==22493==    by 0x82D3F1F: convert_to_long (zend_operators.c:325)
==22493==    by 0x80FE3A6: zif_mysqli_stmt_execute (mysqli_api.c:723)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==
==22493== Invalid read of size 1
==22493==    at 0x40245B7: memcpy (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x412563F: store_param_str (libmysql.c:2389)
==22493==    by 0x41257D6: store_param (libmysql.c:2443)
==22493==    by 0x4125CD0: cli_stmt_execute (libmysql.c:2544)
==22493==    by 0x412643F: mysql_stmt_execute (libmysql.c:2856)
==22493==    by 0x80FE3EB: zif_mysqli_stmt_execute (mysqli_api.c:734)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==  Address 0x4F7BE9A is 2 bytes inside a block of size 7
free'd
==22493==    at 0x402243F: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x82B65AB: _efree (zend_alloc.c:2291)
==22493==    by 0x82D4098: convert_to_long_base (zend_operators.c:353)
==22493==    by 0x82D3F1F: convert_to_long (zend_operators.c:325)
==22493==    by 0x80FE3A6: zif_mysqli_stmt_execute (mysqli_api.c:723)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==
==22493== Invalid read of size 1
==22493==    at 0x40245D3: memcpy (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x412563F: store_param_str (libmysql.c:2389)
==22493==    by 0x41257D6: store_param (libmysql.c:2443)
==22493==    by 0x4125CD0: cli_stmt_execute (libmysql.c:2544)
==22493==    by 0x412643F: mysql_stmt_execute (libmysql.c:2856)
==22493==    by 0x80FE3EB: zif_mysqli_stmt_execute (mysqli_api.c:734)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)
==22493==  Address 0x4F7BE99 is 1 bytes inside a block of size 7
free'd
==22493==    at 0x402243F: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==22493==    by 0x82B65AB: _efree (zend_alloc.c:2291)
==22493==    by 0x82D4098: convert_to_long_base (zend_operators.c:353)
==22493==    by 0x82D3F1F: convert_to_long (zend_operators.c:325)
==22493==    by 0x80FE3A6: zif_mysqli_stmt_execute (mysqli_api.c:723)
==22493==    by 0x830DC7E: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:190)
==22493==    by 0x830EF55: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:309)
==22493==    by 0x830D4F9: execute (zend_vm_execute.h:91)
==22493==    by 0x82DF4CD: zend_execute_scripts (zend.c:1170)
==22493==    by 0x825B0A7: php_execute_script (main.c:2059)
==22493==    by 0x837B57B: main (php_cli.c:1139)


------------------------------------------------------------------------

[2008-03-18 17:36:18] [EMAIL PROTECTED]

I get the following with mysqli/mysqlnd, which seems correct, except
for the reference, but I have to investigate whether this is incorrect.
There is no memory error it seems.

Test 1:
object(foo)#1 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#1 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
foobar

Test 2:
object(foo)#1 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#1 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
foobar - 0

Test 3:
object(foo)#1 (1) {
  ["bar"]=>
  int(0)
}
object(foo)#1 (1) {
  ["bar"]=>
  &int(0)
}
0 - 0
----------------------------------
mysqli/libmysql gives the following, one sees that there is something
wrong
Test 1:
object(foo)#1 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#1 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
foobar

Test 2:
object(foo)#1 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#1 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
ZZZZZZ - 0

Test 3:
object(foo)#1 (1) {
  ["bar"]=>
  int(0)
}
object(foo)#1 (1) {
  ["bar"]=>
  &int(0)
}
139797916 - 0


Assigning to myself

------------------------------------------------------------------------

[2008-03-10 09:21:26] pumuckel at metropolis dot de

Description:
------------
Mysqli bind_param and bind_result functions are changing object member
variables to be references with strange side affects.

a) I expect the object to keep the member variable types as is.
Currently they change to reference variables with the result of strange
side effects when you do not keep this in mind. We have to clone objects
before using them for bindings, right now - this is a working
workaround. I vote for a bug, at least it should be documented.

b) I expect binding on the same variable with different types working.
Currently I can manage to get a memory access to arbitrary data,
possibly leading to a segmentation fault or security violation. Again, I
vote for a bug.


Reproduce code:
---------------
<?php
$hostname = "localhost";
$username = "dbuser";
$password = "dbpassword";
$dbname   = "dbname";

class foo {
  // @var $bar string
  public $bar;
}

$foo = new foo;
$foo->bar = "foobar";

$db = new mysqli($hostname, $username, $password, $dbname);

echo "Test 1: \n";
$stmt = $db->prepare("SELECT ? FOO");
var_dump($foo); // here you can see the bar member var beeing a string
$stmt->bind_param("s", $foo->bar);
var_dump($foo); // this will show $foo->bar beeing a reference string
$stmt->bind_result($one);
$stmt->execute();
$stmt->fetch();
$stmt->free_result();
echo("$one\n\n");

// it is getting worse. Binding the same var twice with different 
// types you can get unexpected results (e.g. binary trash for the
// string and misc data for the integer. See next 2 tests.

echo "Test 2: \n";
$stmt = $db->prepare("SELECT ? FOO, ? BAR");
var_dump($foo);
$stmt->bind_param("si", $foo->bar, $foo->bar);
var_dump($foo);
$stmt->bind_result($one, $two);
$stmt->execute();
$stmt->fetch();
$stmt->free_result();
echo("$one - $two\n\n");

echo "Test 3: \n";

$stmt = $db->prepare("SELECT ? FOO, ? BAR");
var_dump($foo);
$stmt->bind_param("is", $foo->bar, $foo->bar);
var_dump($foo);
$stmt->bind_result($one, $two);
$stmt->execute();
$stmt->fetch();
$stmt->free_result();
echo("$one - $two\n\n");

?>

Expected result:
----------------
Test 1: 
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
foobar

Test 2: 
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
foobar - 0

Test 3: 
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
0 - foobar


Actual result:
--------------
Test 1: 
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#5 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
foobar

Test 2: 
object(foo)#5 (1) {
  ["bar"]=>
  string(6) "foobar"
}
object(foo)#5 (1) {
  ["bar"]=>
  &string(6) "foobar"
}
&#65533;Pbar - 0

Test 3: 
object(foo)#5 (1) {
  ["bar"]=>
  int(0)
}
object(foo)#5 (1) {
  ["bar"]=>
  &int(0)
}
140653124 - 0




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=44390&edit=1

#44390 [Asn->Csd]: bind_param / bind_result and Object member variables

Reply via email to