1--TEST-- 2Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) 3--SKIPIF-- 4<?php 5require_once(__DIR__ . DIRECTORY_SEPARATOR . 'skipif.inc'); 6require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); 7MySQLPDOTest::skip(); 8 9?> 10--FILE-- 11<?php 12 13require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); 14 15$db = PDOTest::test_factory(__DIR__ . '/common.phpt'); 16 17$search = "o'"; 18$sql = "SELECT 1 FROM DUAL WHERE 'o''riley' LIKE " . $db->quote('%' . $search . '%'); 19$stmt = $db->prepare($sql); 20$stmt->execute(); 21print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 22print implode(' - ', $stmt->errorinfo()) ."\n"; 23 24print "-------------------------------------------------------\n"; 25 26$queries = array( 27 "SELECT 1 FROM DUAL WHERE 1 = '?\'\''", 28 "SELECT 'a\\'0' FROM DUAL WHERE 1 = ?", 29 "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND ?", 30 "SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?" 31); 32 33foreach ($queries as $k => $query) { 34 $stmt = $db->prepare($query); 35 $stmt->execute(array(1)); 36 printf("[%d] Query: [[%s]]\n", $k + 1, $query); 37 print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 38 print implode(' - ', $stmt->errorinfo()) ."\n"; 39 print "--------\n"; 40} 41 42$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1); 43$sql = "SELECT upper(:id) FROM DUAL WHERE '1'"; 44$stmt = $db->prepare($sql); 45 46$id = 'o\'\0'; 47$stmt->bindParam(':id', $id); 48$stmt->execute(); 49printf("Query: [[%s]]\n", $sql); 50print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 51print implode(' - ', $stmt->errorinfo()) ."\n"; 52 53print "-------------------------------------------------------\n"; 54 55$queries = array( 56 "SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\\0' IS NULL AND 2 <> :id", 57 "SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND 2 <> :id", 58 "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND 2 <> :id", 59 "SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND 2 <> :id", 60 "SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1", 61 "SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\\'' AND 1", 62 "SELECT UPPER(:id) FROM DUAL WHERE '1'", 63 "SELECT 1 FROM DUAL WHERE '\''", 64 "SELECT 1 FROM DUAL WHERE :id AND '\\0' OR :id", 65 "SELECT 1 FROM DUAL WHERE 'a\\f\\n\\0' AND 1 >= :id", 66 "SELECT 1 FROM DUAL WHERE '\'' = ''''", 67 "SELECT '\\n' '1 FROM DUAL WHERE '''' and :id'", 68 "SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id", 69); 70 71$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1); 72$id = 1; 73 74foreach ($queries as $k => $query) { 75 $stmt = $db->prepare($query); 76 $stmt->bindParam(':id', $id); 77 $stmt->execute(); 78 79 printf("[%d] Query: [[%s]]\n", $k + 1, $query); 80 print implode(' - ', (($r = @$stmt->fetch(PDO::FETCH_NUM)) ? $r : array())) ."\n"; 81 print implode(' - ', $stmt->errorinfo()) ."\n"; 82 print "--------\n"; 83} 84 85?> 86--EXPECTF-- 871 8800000 - - 89------------------------------------------------------- 90 91Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 92[1] Query: [[SELECT 1 FROM DUAL WHERE 1 = '?\'\'']] 93 9400000 - - 95-------- 96[2] Query: [[SELECT 'a\'0' FROM DUAL WHERE 1 = ?]] 97a'0 9800000 - - 99-------- 100[3] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND ?]] 101a - b' 10200000 - - 103-------- 104[4] Query: [[SELECT 'foo?bar', '', '''' FROM DUAL WHERE ?]] 105foo?bar - - ' 10600000 - - 107-------- 108Query: [[SELECT upper(:id) FROM DUAL WHERE '1']] 109O'\0 11000000 - - 111------------------------------------------------------- 112[1] Query: [[SELECT 1, 'foo' FROM DUAL WHERE 1 = :id AND '\0' IS NULL AND 2 <> :id]] 113 11400000 - - 115-------- 116[2] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '' AND 2 <> :id]] 117 11800000 - - 119-------- 120[3] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'\'' = '''' AND 2 <> :id]] 121 12200000 - - 123-------- 124[4] Query: [[SELECT 1 FROM DUAL WHERE 1 = :id AND '\'' = '''' AND 2 <> :id]] 1251 12600000 - - 127-------- 128 129Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 130[5] Query: [[SELECT 'a', 'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]] 131 13200000 - - 133-------- 134 135Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 136[6] Query: [[SELECT 'a''', '\'b\'' FROM DUAL WHERE '''' LIKE '\'' AND 1]] 137 13800000 - - 139-------- 140[7] Query: [[SELECT UPPER(:id) FROM DUAL WHERE '1']] 1411 14200000 - - 143-------- 144 145Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 146[8] Query: [[SELECT 1 FROM DUAL WHERE '\'']] 147 14800000 - - 149-------- 150[9] Query: [[SELECT 1 FROM DUAL WHERE :id AND '\0' OR :id]] 1511 15200000 - - 153-------- 154[10] Query: [[SELECT 1 FROM DUAL WHERE 'a\f\n\0' AND 1 >= :id]] 155 15600000 - - 157-------- 158 159Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 160[11] Query: [[SELECT 1 FROM DUAL WHERE '\'' = '''']] 161 16200000 - - 163-------- 164 165Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in %s on line %d 166[12] Query: [[SELECT '\n' '1 FROM DUAL WHERE '''' and :id']] 167 16800000 - - 169-------- 170[13] Query: [[SELECT 1 'FROM DUAL WHERE :id AND '''' = '''' OR 1 = 1 AND ':id]] 1711 17200000 - - 173-------- 174
