#45101 [Opn->Bgs]: pg_send_query_params ORDER BY ignored

Sun, 19 Oct 2008 16:37:39 -0700 

 ID:               45101
 Updated by:       [EMAIL PROTECTED]
 Reported By:      alan at fromorbit dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         PostgreSQL related
 Operating System: Linux 2.6.24.7 x64
 PHP Version:      5.2.6
-Assigned To:      
+Assigned To:      hholzgra
 New Comment:

ORDER BY can get both a result column name or an expression as input,
in regular statements you would distinguish between a column name and a
string expression by checking whether the name is in qoutes or not.

With pg_send_query_params() the situation becomes ambiguous though and
the function always picks the string variant, so your statement becomes
the equivalent of

  SELECT * 
  FROM php_bug 
  WHERE name LIKE '%o%' 
  ORDER BY 'doesnt_exist_and_should_be_an_sql_error';

and so sorts by a constant (string) expression.


Previous Comments:
------------------------------------------------------------------------

[2008-05-27 04:47:21] alan at fromorbit dot com

Description:
------------
Hi all,

I've discovered that if you use pg_send_query_params() and try and
include a parameter for an 'ORDER BY' for example it's completely
ignored. I've looked at the pg_trace() output and it appears to be doing
the right thing. All I can assume is that the parameter is being
converted to a TRUE for an ORDER BY, and so the database happily accepts
'ORDER BY 1'.



Reproduce code:
---------------
#!/opt/php/bin/php
<?php
/*
create table php_bug (id integer, name varchar(255));
insert into php_bug values (1, 'one');
insert into php_bug values (2, 'two');
insert into php_bug values (3, 'three');
insert into php_bug values (4, 'four');
insert into php_bug values (5, 'five');
 */

$conn = pg_connect('host=localhost dbname=test port=5432 user=web');

$sql = 'SELECT * FROM php_bug WHERE name LIKE $1 ORDER BY $2';
$params = array('%o%', 'doesnt_exist_and_should_be_an_sql_error');

if (! pg_connection_busy($conn)) pg_send_query_params($conn, $sql,
$params);

$res = pg_get_result($conn);

while($row = pg_fetch_assoc($res))
        echo "{$row['id']} - {$row['name']}\n";

?>


Expected result:
----------------
An SQL error or an output that is ordered by the given parameter

Actual result:
--------------
1 - one
2 - two
4 - four



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=45101&edit=1

Reply via email to