xref: /PHP-8.1/ext/pdo_mysql/tests/bug41125.phpt (revision b5a14e6c) 
1--TEST--
2Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault)
3--EXTENSIONS--
4pdo_mysql
5--SKIPIF--
6<?php
7require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
8MySQLPDOTest::skip();
9
10?>
11--FILE--
12<?php
13
14require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
15
16$db = PDOTest::test_factory(__DIR__ . '/common.phpt');
17
18$search = "o'";
19$sql = "SELECT 1 FROM DUAL WHERE 'o''riley' LIKE " . $db->quote('%' . $search . '%');
20$stmt = $db->prepare($sql);
21$stmt->execute();
22print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n";
23print implode(' - ', $stmt->errorinfo()) ."\n";
24
25print "-------------------------------------------------------\n";
26
27$queries = array(
28    "SELECT 1 FROM DUAL WHERE 1 = '?\'\''",
29    "SELECT 'a\\'0' FROM DUAL WHERE 1 = ?",
30    "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND ?",
31    "SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?"
32);
33
34foreach ($queries as $k => $query) {
35    $stmt = $db->prepare($query);
36    $stmt->execute(array(1));
37    printf("[%d] Query: [[%s]]\n", $k + 1, $query);
38    print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n";
39    print implode(' - ', $stmt->errorinfo()) ."\n";
40    print "--------\n";
41}
42
43$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
44$sql = "SELECT upper(:id) FROM DUAL WHERE '1'";
45$stmt = $db->prepare($sql);
46
47$id = 'o\'\0';
48$stmt->bindParam(':id', $id);
49$stmt->execute();
50printf("Query: [[%s]]\n", $sql);
51print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n";
52print implode(' - ', $stmt->errorinfo()) ."\n";
53
54print "-------------------------------------------------------\n";
55
56$queries = array(
57    "SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\\0' IS NULL AND  2 <> :id",
58    "SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND  2 <> :id",
59    "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND  2 <> :id",
60    "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND  2 <> :id",
61    "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1",
62    "SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1",
63    "SELECT UPPER(:id) FROM DUAL WHERE '1'",
64    "SELECT 1 FROM DUAL WHERE '\''",
65    "SELECT 1 FROM DUAL WHERE :id AND '\\0' OR :id",
66    "SELECT 1 FROM DUAL WHERE 'a\\f\\n\\0' AND 1 >= :id",
67    "SELECT 1 FROM DUAL WHERE '\'' = ''''",
68    "SELECT '\\n' '1 FROM DUAL WHERE '''' and :id'",
69    "SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id",
70);
71
72$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
73$id = 1;
74
75foreach ($queries as $k => $query) {
76    $stmt = $db->prepare($query);
77    $stmt->bindParam(':id', $id);
78    $stmt->execute();
79
80    printf("[%d] Query: [[%s]]\n", $k + 1, $query);
81    print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n";
82    print implode(' - ', $stmt->errorinfo()) ."\n";
83    print "--------\n";
84}
85
86?>
87--EXPECTF--
881
8900000 -  -
90-------------------------------------------------------
91
92Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
93[1] Query: [[SELECT 1 FROM DUAL WHERE 1 = '?\'\'']]
94
9500000 -  -
96--------
97[2] Query: [[SELECT 'a\'0' FROM DUAL WHERE 1 = ?]]
98a'0
9900000 -  -
100--------
101[3] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND ?]]
102a - b'
10300000 -  -
104--------
105[4] Query: [[SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?]]
106foo?bar -  - '
10700000 -  -
108--------
109Query: [[SELECT upper(:id) FROM DUAL WHERE '1']]
110O'\0
11100000 -  -
112-------------------------------------------------------
113[1] Query: [[SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\0' IS NULL AND  2 <> :id]]
114
11500000 -  -
116--------
117[2] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND  2 <> :id]]
118
11900000 -  -
120--------
121[3] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND  2 <> :id]]
122
12300000 -  -
124--------
125[4] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND  2 <> :id]]
1261
12700000 -  -
128--------
129
130Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
131[5] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]]
132
13300000 -  -
134--------
135
136Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
137[6] Query: [[SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]]
138
13900000 -  -
140--------
141[7] Query: [[SELECT UPPER(:id) FROM DUAL WHERE '1']]
1421
14300000 -  -
144--------
145
146Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
147[8] Query: [[SELECT 1 FROM DUAL WHERE '\'']]
148
14900000 -  -
150--------
151[9] Query: [[SELECT 1 FROM DUAL WHERE :id AND '\0' OR :id]]
1521
15300000 -  -
154--------
155[10] Query: [[SELECT 1 FROM DUAL WHERE 'a\f\n\0' AND 1 >= :id]]
156
15700000 -  -
158--------
159
160Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
161[11] Query: [[SELECT 1 FROM DUAL WHERE '\'' = '''']]
162
16300000 -  -
164--------
165
166Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d
167[12] Query: [[SELECT '\n' '1 FROM DUAL WHERE '''' and :id']]
168
16900000 -  -
170--------
171[13] Query: [[SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id]]
1721
17300000 -  -
174--------
175