1--TEST-- 2Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) 3--EXTENSIONS-- 4pdo_mysql 5--SKIPIF-- 6<?php 7require_once __DIR__ . '/inc/mysql_pdo_test.inc'; 8MySQLPDOTest::skip(); 9?> 10--FILE-- 11<?php 12require_once __DIR__ . '/inc/mysql_pdo_test.inc'; 13$db = MySQLPDOTest::factory(); 14 15$search = "o'"; 16$sql = "SELECT 1 FROM DUAL WHERE 'o''riley' LIKE " . $db->quote('%' . $search . '%'); 17$stmt = $db->prepare($sql); 18$stmt->execute(); 19print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 20print implode(' - ', $stmt->errorinfo()) ."\n"; 21 22print "-------------------------------------------------------\n"; 23 24$queries = array( 25 "SELECT 1 FROM DUAL WHERE 1 = '?\'\''", 26 "SELECT 'a\\'0' FROM DUAL WHERE 1 = ?", 27 "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND ?", 28 "SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?" 29); 30 31foreach ($queries as $k => $query) { 32 $stmt = $db->prepare($query); 33 $stmt->execute(array(1)); 34 printf("[%d] Query: [[%s]]\n", $k + 1, $query); 35 print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 36 print implode(' - ', $stmt->errorinfo()) ."\n"; 37 print "--------\n"; 38} 39 40$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1); 41$sql = "SELECT upper(:id) FROM DUAL WHERE '1'"; 42$stmt = $db->prepare($sql); 43 44$id = 'o\'\0'; 45$stmt->bindParam(':id', $id); 46$stmt->execute(); 47printf("Query: [[%s]]\n", $sql); 48print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 49print implode(' - ', $stmt->errorinfo()) ."\n"; 50 51print "-------------------------------------------------------\n"; 52 53$queries = array( 54 "SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\\0' IS NULL AND 2 <> :id", 55 "SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND 2 <> :id", 56 "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND 2 <> :id", 57 "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND 2 <> :id", 58 "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1", 59 "SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1", 60 "SELECT UPPER(:id) FROM DUAL WHERE '1'", 61 "SELECT 1 FROM DUAL WHERE '\''", 62 "SELECT 1 FROM DUAL WHERE :id AND '\\0' OR :id", 63 "SELECT 1 FROM DUAL WHERE 'a\\f\\n\\0' AND 1 >= :id", 64 "SELECT 1 FROM DUAL WHERE '\'' = ''''", 65 "SELECT '\\n' '1 FROM DUAL WHERE '''' and :id'", 66 "SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id", 67); 68 69$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1); 70$id = 1; 71 72foreach ($queries as $k => $query) { 73 $stmt = $db->prepare($query); 74 $stmt->bindParam(':id', $id); 75 $stmt->execute(); 76 77 printf("[%d] Query: [[%s]]\n", $k + 1, $query); 78 print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 79 print implode(' - ', $stmt->errorinfo()) ."\n"; 80 print "--------\n"; 81} 82 83?> 84--EXPECTF-- 851 8600000 - - 87------------------------------------------------------- 88 89Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 90[1] Query: [[SELECT 1 FROM DUAL WHERE 1 = '?\'\'']] 91 9200000 - - 93-------- 94[2] Query: [[SELECT 'a\'0' FROM DUAL WHERE 1 = ?]] 95a'0 9600000 - - 97-------- 98[3] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND ?]] 99a - b' 10000000 - - 101-------- 102[4] Query: [[SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?]] 103foo?bar - - ' 10400000 - - 105-------- 106Query: [[SELECT upper(:id) FROM DUAL WHERE '1']] 107O'\0 10800000 - - 109------------------------------------------------------- 110[1] Query: [[SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\0' IS NULL AND 2 <> :id]] 111 11200000 - - 113-------- 114[2] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND 2 <> :id]] 115 11600000 - - 117-------- 118[3] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND 2 <> :id]] 119 12000000 - - 121-------- 122[4] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND 2 <> :id]] 1231 12400000 - - 125-------- 126 127Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 128[5] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]] 129 13000000 - - 131-------- 132 133Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 134[6] Query: [[SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]] 135 13600000 - - 137-------- 138[7] Query: [[SELECT UPPER(:id) FROM DUAL WHERE '1']] 1391 14000000 - - 141-------- 142 143Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 144[8] Query: [[SELECT 1 FROM DUAL WHERE '\'']] 145 14600000 - - 147-------- 148[9] Query: [[SELECT 1 FROM DUAL WHERE :id AND '\0' OR :id]] 1491 15000000 - - 151-------- 152[10] Query: [[SELECT 1 FROM DUAL WHERE 'a\f\n\0' AND 1 >= :id]] 153 15400000 - - 155-------- 156 157Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 158[11] Query: [[SELECT 1 FROM DUAL WHERE '\'' = '''']] 159 16000000 - - 161-------- 162 163Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 164[12] Query: [[SELECT '\n' '1 FROM DUAL WHERE '''' and :id']] 165 16600000 - - 167-------- 168[13] Query: [[SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id]] 1691 17000000 - - 171-------- 172