Home Original page

PHP :: Bug #44189 :: PDO::setAttribute(PDO::ATTR_ERRMODE, <bogus>) parameter checks

Bug #44189 PDO::setAttribute(PDO::ATTR_ERRMODE, <bogus>) parameter checks
Submitted: 2008-02-20 18:16 UTC Modified: 2008-02-21 13:38 UTC
From: uwendel at mysql dot com Assigned:
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-02-20 (CVS) OS: Linux
Private report: No CVE-ID: None

 [2008-02-20 18:16 UTC] uwendel at mysql dot com

Description:
------------
Question: is there consensus that PDO should use stricter parameter checking. By that I mean primarily that PDO functions follow the "modern" style of bailing out if you pass a non-scalar value parameter which expect a scalar?

[1] Like this:

 $tmp = array()
 PDO->setAttribute(PDO::ATTR_ERRMODE, $tmp)


If everybody agrees, Andrey or Johannes can fix this and similar minor flaws as we continue with the PDO_MYSQLND development. I guess there's a good number of similar flaws.

[2] Related, what about this one:

  $tmp = new stdClass()
  PDO->setAttribute(PDO::ATTR_ERRMODE, $tmp)

Reproduce code:
---------------
[1] nixnutz@ulflinux:~/php53> sapi/cli/php -r '$pdo=new PDO("sqlite:/tmp/foo.db"); $tmp = array(); var_dump($pdo->setAttribute(PDO::ATTR_ERRMODE, $tmp));'
bool(true)

[2] nixnutz@ulflinux:~/php53> sapi/cli/php -r '$pdo=new PDO("sqlite:/tmp/foo.db"); $tmp = new stdClass(); var_dump($pdo->setAttribute(PDO::ATTR_ERRMODE, $tmp));'
bool(true)
(may print a notice about the implicit casting)

Expected result:
----------------
Warning or similar + bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2008-02-20 18:46 UTC] uwendel at mysql dot com

PDO->setAttribute(PDO::ATTR_ORACLE_NULLS, <bogus>)

Same story. As said, we can fix those tiny things as we go, if there's consensus to change it.

 [2008-02-21 13:38 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

In some cases the attribute value cannot be filtered against a white 
list, so any value will do. If there is an option to filter invalid 
params by the driver (which knows about allowable values) it should be 
done. But filtering of attribute values (the ones relating to the 
driver) should be done by the driver.

I've applied checks for some of the native options just now.