Edit report at https://bugs.php.net/bug.php?id=44639&edit=1
ID: 44639 Comment by: alvaro at demogracia dot com Reported by: jgauld at blueyonder dot co dot uk Summary: PDO quotes integers in prepared statement Status: Open Type: Bug Package: PDO related Operating System: * PHP Version: 5.* Block user comment: N Private report: N New Comment: This only happens on emulated parameter binding, i.e. when PDO::ATTR_EMULATE_PREPARES is TRUE. Previous Comments: ------------------------------------------------------------------------ [2012-02-25 06:28:34] preludeinz at gmail dot com Please fix! I can't do my course's lab exercise (without introducing a SQL injection vulnerability) without this feature. ------------------------------------------------------------------------ [2012-01-13 19:50:40] engin at e-php dot net It's really sad seeing this aged bug is not gonna fixed. ------------------------------------------------------------------------ [2011-12-13 22:33:36] stephen-d at rogers dot com I am surprised that something this simple has been unfixed for so long. I wasted 8 hours trying to figure out "my" mistake. Thinking that it was a PDO bug was inconceivable. I finally turned on MySQL logging and saw that the numeric argument was being enclosed in quotes. I posted to a web site for help and a kind person sent me this link. For others struggling with this, the work-around is to type caste all numeric values that will passed to PBO. ------------------------------------------------------------------------ [2011-04-27 20:24:08] riksoft at gmail dot com Php-cli V. 5.3.1: I see that if no PDO::PARAM_* is used PDO use variable type. E.g. $sth->bindValue(6, $checksum, PDO::PARAM_INT); or $sth->bindValue(6, $checksum); correctly treat the value $checksum (CRC32 int) as a number >>>> BUT <<<< there is a problem with unsigned integer: according to http://it.php.net/manual/en/pdo.constants.php there isn't any useful costant for larger numeric value. Real case: The only way to store a crc32 value among different DBs and platforms (32/64 bit) is converting CRC32 to unsigned int this way sprintf("%u",crc32). But PDO::PARAM_INT is not able to handle values larger than 2147483647. Solution: security of inputs by floatval() (at least when bindvalue dont write as a string which is not my case). ------------------------------------------------------------------------ [2010-06-30 22:05:44] stuart at tase dot co dot uk As noted earlier, even when specifying an explicit type using the constants e.g. PDO::PARAM_INT it treats them according to their native type, so a string containing a numerical value is treated as a string instead of an integer. It makes a complete mockery of the data type constants, they are just ignored. One of two things should happen, numerical strings should be cast to integers by PDO when PARAM_INT is used or PDO should throw an error/exception when it's expecting an int and receives a string. It should NOT try to be clever and ignore the explicit data type, sending potentially malformed SQL to the database. This violates one of the major reasons for using prepared statements to begin with, data and database integrity. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=44639 -- Edit this bug report at https://bugs.php.net/bug.php?id=44639&edit=1
