#49381 [Opn]: PDO mysql prepare incorrectly quoting

Fri, 18 Sep 2009 01:20:06 -0700 

 ID:               49381
 Updated by:       u...@php.net
 Reported By:      eprayner at gmail dot com
 Status:           Open
 Bug Type:         PDO related
 Operating System: Linux
 PHP Version:      5.2SVN-2009-08-27 (SVN)
 New Comment:

It is not a MySQL bug. MySQL native prepared statements to not support
using bind variables as identifiers.

http://dev.mysql.com/doc/refman/5.1/en/prepare.html

At most it is a bug of the PDO prepared statement emulation parser. 



Previous Comments:
------------------------------------------------------------------------

[2009-08-27 03:35:02] eprayner at gmail dot com

MYSQL Server version: 5.0.67-0ubuntu6 (Ubuntu)

>From reading other bugs, I'm beginning to think this is a MySQL bug,
rather than a PHP bug.

------------------------------------------------------------------------

[2009-08-27 03:31:03] eprayner at gmail dot com

Description:
------------
When using PDO prepare for mysql, quotes are incorrectly inserted
around column names, resulting in errors or unexpected results.  This
problem would have been _much_ easier to diagonise if there was a way of
seeing the actual statement.  Something like:
$string PDOStatement::executeString()---returns the statement that
would have been executed by PDOStatement::execute().

Reproduce code:
---------------
//given a mysql connection $pdo
//and a database table 'myTable' with columns: id, col1, col2, col3
//with a row: 1, value1, value2, value3.

$stmt=$pdo->prepare("SELECT ? FROM myTable WHERE id=?");
$myColumn = 'col1';
$stmt->execute(array($myColumn, 1));
$row=$stmt->fetch();
print_r($row);

Expected result:
----------------
I'd expect to see: "value1" displayed, as you'd expect for the
statement: "SELECT col1 FROM myTable WHERE id=1"

Actual result:
--------------
What is displayed is: "col1", as you'd expect for the statement:
"SELECT 'col1' FROM myTable WHERE id=1"

Other statements result in errors.  Example:
$stmt=$pdo->prepare("UPDATE myTable SET ?=? WHERE id=?");
$stmt->execute(array($myColumn, $myValue, $myId));

is a syntax error, as is the SQL:
UPDATE myTable SET 'col1'=3 WHERE id=1;

This problem means that I cant use prepare and execute statements at
all.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49381&edit=1

Reply via email to