Edit report at https://bugs.php.net/bug.php?id=44639&edit=1
ID: 44639
Comment by: alek0585 at mail dot ru
Reported by: jgauld at blueyonder dot co dot uk
Summary: PDO quotes integers in prepared statement
Status: Open
Type: Bug
Package: PDO related
Operating System: *
PHP Version: 5.*
Block user comment: N
Private report: N
New Comment:
Yeah! Try this $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); and you
can
use that!
foreach($data as $key => $value) {
$stmt->bindParam( ":".$key, $value, (is_int($value) ?
PDO::PARAM_INT :
PDO::PARAM_STR));
}
but you should be careful with types of vars
Previous Comments:
------------------------------------------------------------------------
[2012-03-12 10:15:44] alvaro at demogracia dot com
This only happens on emulated parameter binding, i.e. when
PDO::ATTR_EMULATE_PREPARES is TRUE.
------------------------------------------------------------------------
[2012-02-25 06:28:34] preludeinz at gmail dot com
Please fix! I can't do my course's lab exercise (without introducing a SQL
injection vulnerability) without this feature.
------------------------------------------------------------------------
[2012-01-13 19:50:40] engin at e-php dot net
It's really sad seeing this aged bug is not gonna fixed.
------------------------------------------------------------------------
[2011-12-13 22:33:36] stephen-d at rogers dot com
I am surprised that something this simple has been unfixed for so long.
I wasted 8 hours trying to figure out "my" mistake. Thinking that it was a PDO
bug was inconceivable.
I finally turned on MySQL logging and saw that the numeric argument was being
enclosed in quotes. I posted to a web site for help and a kind person sent me
this link.
For others struggling with this, the work-around is to type caste all numeric
values that will passed to PBO.
------------------------------------------------------------------------
[2011-04-27 20:24:08] riksoft at gmail dot com
Php-cli V. 5.3.1:
I see that if no PDO::PARAM_* is used PDO use variable type.
E.g.
$sth->bindValue(6, $checksum, PDO::PARAM_INT);
or
$sth->bindValue(6, $checksum);
correctly treat the value $checksum (CRC32 int) as a number
>>>> BUT <<<<
there is a problem with unsigned integer: according to
http://it.php.net/manual/en/pdo.constants.php
there isn't any useful costant for larger numeric value.
Real case: The only way to store a crc32 value among different DBs and
platforms (32/64 bit) is converting CRC32 to unsigned int this way
sprintf("%u",crc32). But PDO::PARAM_INT is not able to handle values larger
than 2147483647.
Solution: security of inputs by floatval() (at least when bindvalue dont write
as a string which is not my case).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=44639
--
Edit this bug report at https://bugs.php.net/bug.php?id=44639&edit=1
