granicus.if.org Git - php/commit

author	Adam Baratz <adambaratz@php.net>
	Mon, 10 Oct 2016 22:10:37 +0000 (18:10 -0400)
committer	Adam Baratz <adambaratz@php.net>
	Mon, 10 Oct 2016 22:16:17 +0000 (18:16 -0400)
commit	32b6154a61fae820386527f3019f8c5937fc5d27
tree	b59e7fdf7af66c6e5f33eb57d64816c7938f6272	tree \| snapshot
parent	f51405cd7e64ba2554a281716006ecff80b72c55	commit \| diff

Fix #73234: Emulated statements let value dictate parameter type

The prepared statement emulator (pdo_sql_parser.*) figures out how to quote
each query parameter. The intended type is specified by the PDO::PARAM_*
consts, but this direction wasn't always followed. In practice, queries could
work as expected, but subtle errors could result. For example, a numeric string
bound as PDO::PARAM_INT would be sent to a driver's quote function. While these
functions are told which type is expected, they generally assume values are
being quoted as strings. This can result in implicit casts, which are bad for
performance.

This commit includes the following changes:
- Cast values marked as bool/int/null to the appropriate type and bypass the
driver's quote function.
- Save some memory by dropping the temporary zval used for casting.
- Avoid a memory leak if the driver's quote function produces an error.
- Appropriate test suite updates.

NEWS		diff \| blob \| history
ext/pdo/pdo_sql_parser.c		diff \| blob \| history
ext/pdo/pdo_sql_parser.re		diff \| blob \| history
ext/pdo/tests/bug_65946.phpt		diff \| blob \| history
ext/pdo/tests/bug_73234.phpt	[new file with mode: 0644]	blob
ext/pdo/tests/pdo_018.phpt		diff \| blob \| history
ext/pdo/tests/pdo_024.phpt		diff \| blob \| history