Home Original page

bind parameter cannot contain dashes

Bug #43130 bind parameter cannot contain dashes
Submitted: 2007-10-29 18:07 UTC Modified: 2007-12-08 17:21 UTC
Votes:124
Avg. Score:3.3 ± 1.3
Reproduced:42 of 70 (60.0%)
Same Version:25 (59.5%)
Same OS:19 (45.2%)
From: joel at purerave dot com Assigned: iliaa (profile)
Status: Wont fix Package: PDO related
PHP Version: 5.2.4 OS: Windows XP Home
Private report: No CVE-ID: None

 [2007-10-29 18:07 UTC] joel at purerave dot com

Description:
------------
Parameters to bind in a prepared statement cannot contain dashes (-) in the name. It probably assumes that "-value" should be another variable.

If this cannot be fixed, then at least update the documentation to make it clear what names can and cannot be used. Using {} around the variable name would be nice too!

Reproduce code:
---------------
$db = new PDO("mysql:host=localhost;dbname=testing", 'xxxx', 'xxxx');
$stmt = $db->prepare("SELECT id FROM testing WHERE id=:id-value");
$stmt->bindParam(':id-value', $id);
$id = 1;
$stmt->execute();
var_dump($stmt->fetch());

Expected result:
----------------
array(2) { ["id"]=>  string(1) "1" [0]=>  string(1) "1" }

Actual result:
--------------
Warning: PDOStatement::execute() [function.PDOStatement-execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\htdocs\test.php on line 8
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2007-10-29 22:37 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

 [2007-10-30 09:51 UTC] uw@php.net

I disagree with the decision to allow "-" in parameter names. Parameter names should consist of [a-zA-Z] and nothing else. "-" is an operator in most databases. 

For BC compatibility I'm also fine with the old pattern [:][a-zA-Z0-9_]+ . Though I must say, that I'd prefer [:][a-zA-Z]+[a-zA-Z0-9_]+, don't allow ":0". ":0" looks a bit like "operator" + "number"...

However, the underlying problem here is that there is absolutely no specification for PDO. This makes PDO a guessing game and error prone.

 [2018-10-25 16:28 UTC] neelaraghavendra1 at gmail dot com

i cant store php form data in mysql