Bug #44433 [Com]: Text with null characters (\0) truncated when bound to prepared statement

[metala at metala dot org]

Edit report at https://bugs.php.net/bug.php?id=44433&edit=1

 ID:                 44433
 Comment by:         metala at metala dot org
 Reported by:        hans at velum dot net
 Summary:            Text with null characters (\0) truncated when bound
                     to prepared statement
 Status:             No Feedback
 Type:               Bug
 Package:            PDO related
 Operating System:   Gentoo Linux
 PHP Version:        5.2.5
 Block user comment: N
 Private report:     N

 New Comment:

I have experienced the same issue with PHP 5.4.4-7 using Debian wheezy/sid.

Actually It made me drop the idea to store objects in database and I used the 
conventional way to solve the problem. So it was frustrating....


Previous Comments:
------------------------------------------------------------------------
[2009-05-03 01:00:11] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------
[2009-04-25 14:56:32] j...@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/



------------------------------------------------------------------------
[2009-03-09 23:21:21] bmauser at gmail dot com

I noticed the same problem on windows (vista) and same php version 5.2.5. The 
serialized string I tried to store in the database was:

O:8:"Psa_User":3:{s:9:" * groups";a:0:{}s:13:" * 
last_login";i:0;s:10:"test_value";i:391;}

and when I put output from serialize() in hex editor you can see some null 
characters:

00000000h: 4F 3A 38 3A 22 50 73 61 5F 55 73 65 72 22 3A 33 ; O:8:"Psa_User":3
00000010h: 3A 7B 73 3A 39 3A 22 00 2A 00 67 72 6F 75 70 73 ; :{s:9:".*.groups
00000020h: 22 3B 61 3A 30 3A 7B 7D 73 3A 31 33 3A 22 00 2A ; ";a:0:{}s:13:".*
00000030h: 00 6C 61 73 74 5F 6C 6F 67 69 6E 22 3B 69 3A 30 ; .last_login";i:0
00000040h: 3B 73 3A 31 30 3A 22 74 65 73 74 5F 76 61 6C 75 ; ;s:10:"test_valu
00000050h: 65 22 3B 69 3A 33 39 31 3B 7D                   ; e";i:391;}

The value in query that should update the database is truncated to the first 
null character in string. That is true for prepared statements with 
PDO->prepare() and also for only escaped values with PDO->quote().

When using the same code with mysql_pdo driver queries are not truncated and 
the null characters are stored in the database blob object.

I used base64_encode and decode functions to workaround this and stored base64 
encoded string in the database.

------------------------------------------------------------------------
[2008-03-13 18:30:19] hans at velum dot net

Description:
------------
I'm using PostgreSQL (8.2.x) and am having a problem inserting serialized data 
containing null characters (\0) into the database.  I am using prepared 
statements and the bindValue() method to bind the serialized data as a 
PDO::PARAM_STR.

It's not obvious from the output below, but these serialized strings contain 
null values because of the private variables.

I can't seem to find an existing bug for this; however, it surprises me that no 
one has reported this before.


Reproduce code:
---------------
$pdo = new PDO('pgsql: dbname=testdb user=postgres');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

try {
        $pdo->exec('DROP TABLE testtbl');
} catch (PDOException $x) { /* ignore */ }

$pdo->exec('CREATE TABLE testtbl (id integer not null, txtcol text)');

class MyClass {
  private $var1;
  function __construct($val) { $this->var1 = $val; }
}

$serialized = serialize(array('foo' => new MyClass('bar'), 'baz' => new 
MyClass('bingo!')));

print "Serialized data: " . $serialized . PHP_EOL;

$stmt = $pdo->prepare('INSERT INTO testtbl (id, txtcol) VALUES (1, ?)');
$stmt->bindValue(1, $serialized, PDO::PARAM_STR);
$stmt->execute();

$stmt = $pdo->query('SELECT * FROM testtbl WHERE id = 1');
$row = $stmt->fetch();

print "From database: " . $row['txtcol'] . PHP_EOL;


Expected result:
----------------
Serialized data: 
a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
>From database: 
>a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}

Actual result:
--------------
Serialized data: 
a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"MyClassvar1";s:3:"bar";}s:3:"baz";O:7:"MyClass":1:{s:13:"MyClassvar1";s:6:"bingo!";}}
>From database: a:2:{s:3:"foo";O:7:"MyClass":1:{s:13:"


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=44433&edit=1