Bug #65583 [Opn->Nab]: PDO MySQL driver does not escape properly backslashes

Thu, 29 Aug 2013 07:09:44 -0700 

Edit report at https://bugs.php.net/bug.php?id=65583&edit=1

 ID:                 65583
 Updated by:         johan...@php.net
 Reported by:        kevin at les-tilleuls dot coop
 Summary:            PDO MySQL driver does not escape properly
                     backslashes
-Status:             Open
+Status:             Not a bug
 Type:               Bug
 Package:            PDO related
 Operating System:   Mac OS X
 PHP Version:        5.5.3
 Block user comment: N
 Private report:     N

 New Comment:

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your issue is that for LIKE the \ is a special character. If you use 

$stmt = $dbh->prepare('SELECT test FROM test WHERE test = :data');

all works. See also 
http://dev.mysql.com/doc/refman/5.6/en/string-comparison-functions.html#operator_like


Previous Comments:
------------------------------------------------------------------------
[2013-08-29 13:10:55] kevin at les-tilleuls dot coop

Description:
------------
PDO MySQL driver does not escape backslashes in string.

The MySQL doc indicates that backslashes must be doubled to be escaped 
http://dev.mysql.com/doc/refman/5.6/en/string-literals.html

The driver does not do that. See the script above.
Should this escaping be done by PDO or a higher layer like Doctrine DBAL?

Test script:
---------------
<?php

define('DSN', 'mysql:dbname=testdb;host=127.0.0.1');
define('USER', 'root');
define('PASSWORD', '');

/* DATABASE STRUCTURE

CREATE TABLE `test` (
  `test` varchar(255) NOT NULL,
  PRIMARY KEY (`test`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

*/

$dbh = new PDO(DSN, USER, PASSWORD);

$data = '\\' . uniqid();

$stmt = $dbh->prepare('INSERT INTO test(test) VALUES(:data)');
$stmt->execute(array('data' => $data));


$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' => $data));

var_dump($stmt->fetchColumn());

$stmt = $dbh->prepare('SELECT test FROM test WHERE test LIKE :data');
$stmt->execute(array('data' =>  str_replace('\\', '\\\\', $data)));

var_dump($stmt->fetchColumn());


Expected result:
----------------
string(14) "\521f3f450f597"
bool(false)

Actual result:
--------------
bool(false)
string(14) "\521f3f450f597"


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65583&edit=1

Reply via email to