ID: 36281
User updated by: vendor at visv dot net
Reported By: vendor at visv dot net
Status: Bogus
Bug Type: Documentation problem
Operating System: Linux
PHP Version: 5.1.2
New Comment:
The code suggested by [EMAIL PROTECTED] in the previous comment
works. I have used this as a basis for a user-contibuted-note
in the online documentation.
Thank you.
Previous Comments:
------------------------------------------------------------------------
[2006-02-05 18:54:06] [EMAIL PROTECTED]
The bug reporter has erred in assuming that parameters can be replaced
_inside_ delimited strings within the SQL statement; he or she is
treating parameter markers like plain old PHP variables. Of course,
that would lead directly to possible SQL injection, which is exactly
what bound parameters are meant to avoid.
(Also, the sample code provided is missing an ending double-quote on
the first line.)
I'm sure the application will work as intended if rewritten as
follows:
$q = "SELECT id, name FROM test WHERE name like :foo";
$s = "carrot";
$dbh = new PDO('mysql:...', $user, $pass);
$sth = $dbh->prepare($q);
/* prepend and append % around the user-supplied value to match
anywhere in the NAME field */
$s = "%{$s}%";
$sth->bindParam(':foo', $s);
$sth->execute()
while ($r = $sth->fetch()) {
print_r($r);
}
------------------------------------------------------------------------
[2006-02-04 18:54:21] vendor at visv dot net
Possibly. How can we determine that definitively? At the
least, I would like to add a user-note to the online
documentation, if someone cannot add it to the core docs
for pdo-mysql.
The db in question is mysql 4.1
------------------------------------------------------------------------
[2006-02-04 18:49:21] [EMAIL PROTECTED]
I doubt this is a bug... many DB APIs simply don't support bind
variables like this. A bind variable is not just any substitution for a
string.
------------------------------------------------------------------------
[2006-02-04 18:49:15] [EMAIL PROTECTED]
That is not a valid parameter definition.
------------------------------------------------------------------------
[2006-02-04 18:21:16] vendor at visv dot net
No change nor improvement with
http://snaps.php.net/php5.1-latest.tar.gz on Feb 4. 12:20PM
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36281
--
Edit this bug report at http://bugs.php.net/?id=36281&edit=1
