Invalid bind-variable name(mysqli) about zf1 HOT 14 CLOSED

(Originally posted by: akrabat on 11/06/12)

Does this work when you do:

$result = $db->fetchAll("SELECT * FROM `example` WHERE (`data` LIKE ?) AND (`datetime` > ?)", 'foo\\nbar', '2012-01-01 9:45:12');

?

from zf1.

(Originally posted by: Milan Krupa on 11/07/12)

Thanks, it works, and it could be a quick solution.
actually, it should be:

$result = $db->fetchAll("SELECT * FROM `example` WHERE (`data` LIKE ?) AND (`datetime` > ?)", array('foo\\nbar', '2012-01-01 9:45:12'));

Just for the record, using param binding via {{Zend_Db_Select}} does NOT work again:

$select = $db->select()
             ->from('example')
             ->where('data LIKE ?', 'foo\\nbar')
             ->where('datetime > ?', '2012-01-01 9:45:12');
$db->fetchAll($select);

from zf1.

(Originally posted by: luinnar on 03/04/13)

It's probably regression to ZF-3025.

I have the same problem on ZF 1.12.2. The following code will throw an error "Invalid bind-variable name ':2'"

$sQuery = 'INSERT INTO test VALUES('. $sQuery .')';

$oDb->query($sQuery);```

Please see last comment: http://framework.zend.com/issues/browse/ZF-3025?focusedCommentId=51297&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-51297

from zf1.

This issue was ported from the ZF2 Jira Issue Tracker at
http://framework.zend.com/issues/browse/ZF-12460

Known GitHub users mentioned in the original message or comment:
@akrabat, @luinnar

from zf1.

I got the same problem (running current Zend and tried out current GIT too).

Test Case is the following:

// prepare a statement with a control character
$test = 'Test String: '.PHP_EOL.':D with newlines'.PHP_EOL;
$sql = 'SELECT *
                FROM `zf1Test`
                WHERE `string` = '.$db->quote($test);
$stmt = new Zend_Db_Statement_Mysqli($db, $sql);

The problem is that this part: [^$q{$escapeChar}] of the regex string excludes the backslash character (if the escape character is a backslash) - but any control character is prefixed by a backslash.

So remove any control character before removing the quoted strings - current patch only affects "\n", if the control character has been quoted more than once (eg "\\n") it won't work.

But a ('/\\\\+(n|r|t|v|f|\$|")/s',' ',$sql) would hit every possible "multi quote". Not sure how to handle this?

I ran the Testsuite for MySQLi Statement and nothing failed.

diff --git a/library/Zend/Db/Statement.php b/library/Zend/Db/Statement.php
index c17affb..340234f 100644
--- a/library/Zend/Db/Statement.php
+++ b/library/Zend/Db/Statement.php
@@ -190,6 +190,10 @@ abstract class Zend_Db_Statement implements Zend_Db_Statement_Interface
         // remove 'foo\'bar'
         if (!empty($q)) {
             $escapeChar = preg_quote($escapeChar);
+
+            // remove any control character
+            $sql = preg_replace('/\\\\(n|r|t|v|f|\$|")/s',' ',$sql);
+
             // this segfaults only after 65,000 characters instead of 9,000
             $sql = preg_replace("/$q([^$q{$escapeChar}]*|($qe)*)*$q/s", '', $sql);
         }

from zf1.

I got the same problem with version 1.12.4dev.
It happens quite often when you execute insert or update queries with text values containing newlines or carriage returns and a datetime field afterwards.

This query fails with : Invalid bind-variable name ':00'

INSERT INTO tableA (description, createdDate)
VALUES ('line1\rline2', '2013-05-10 09:00:00')

from zf1.

ping @ralphschindler

from zf1.

@ezimuel
Any ideas or comments?

from zf1.

My team lead found a solution to this, give it a try:

library/Zend/Db/Statement.php

// remove 'foo\'bar'
         if (!empty($q)) {
             $escapeChar = preg_quote($escapeChar);

            $regex = "/$q($qe+|\\\\{2}+|[^$q]+|(?<=\\\\)$q)*$q/";
            $sql = preg_replace($regex, '', $sql);
         }

from zf1.

@xzyx Your comment does fix it, but what is the impact with SQL injection?

from zf1.

I would suggest using Data Binding instead.

from zf1.

We are binding our params using the where function. This error occurs when we bind a date time and a value containing a wildchar like % or _.

Verstuurd vanaf mijn iPhone

Op 29 mrt. 2015 om 23:28 heeft Brian [email protected] het volgende geschreven:

I would suggest using Data Binding instead.

—
Reply to this email directly or view it on GitHub.

from zf1.

As I found the previous solution too hard to understand I wrote a simpler solution:

In library/Zend/Db/Statement in the function _stripQuoted(), just at [] with all possible problem characters as a third option to the regex:

     // remove 'foo\'bar'
     if (!empty($q)) {
        $escapeChar = preg_quote($escapeChar);

        // $sql = preg_replace("/$q([^$q{$escapeChar}]*|($qe)*)*$q/s", '', $sql);
        $regex = "/$q([^$q{$escapeChar}]*|($qe)*|({$escapeChar}[\\w_%'\"0{$escapeChar}])*)*$q/s";
        $sql = preg_replace($regex, '', $sql);
     }

from zf1.

@mddejong we cannot rely on regex to solve the issue. There are other cases in our history where the usage of regular expression solved the issue but opened other potentials. I'm closing this issue because we have workaround, as pointed here.

from zf1.