Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
InsertQuery_pgsql uses PDO's bindParam when using a fromQuery with parameters, the code looks like:
if (!empty($this->fromQuery)) {
foreach ($this->fromQuery->getArguments() as $key => $value) {
$stmt->bindParam($key, $value);
}
}
The problem is that the second parameter to bindParam is passed by reference and the foreach reuses the reference for $value. The same reference is therefore stored for every bound parameter, leaving them all with the same value at execution time.
I believe that this is a critical bug since it breaks the INSERT FROM functionality of DBTNG (unfortunately on Postgres specifically).
The attached patch reworks the foreach so that the reference issued to bindParam is specific to each value.
Comment | File | Size | Author |
---|---|---|---|
#10 | 845846-include-test.patch | 3.91 KB | Stevel |
#9 | 845846-include-test.patch | 5.06 KB | Stevel |
#8 | 845846-use-direct-reference.patch | 2.77 KB | Stevel |
#6 | 845846-arguments-variable.patch | 2.58 KB | Stevel |
#4 | 845846-give-reference-to-bindParam.patch | 2.55 KB | Stevel |
Comments
Comment #1
Crell CreditAttribution: Crell commentedRefiling for the Postgres team to look into.
Comment #2
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis is indeed a bug. Nice catch, but we need to go a few steps further on this:
getArguments()
return a value.For the record: PDO--
Comment #3
Damien Tournoud CreditAttribution: Damien Tournoud commentedHow, and I would like to know which tests (if any) fails because of that. If none, we need more tests.
Comment #4
Stevel CreditAttribution: Stevel commentedHere's a new patch:
Comments for #2:
1) No extra variable introduced
2) An inline comment is provided the first time the foreach with reference is used
3) I only found one extra case where this is used.
4) The foreach ($array as $k =>&$v) is used several times in the pgsql query.inc, so I don't think it's that big a problem.
As tests are concerned, there's a modified Insert test that should fail on pgsql now without the rest of the patch. I'm not sure how to test the second instance though.
Comment #6
Stevel CreditAttribution: Stevel commentedReroll, it appears we need to store the arguments in a separate variable after all: above patch gives
Comment #7
Damien Tournoud CreditAttribution: Damien Tournoud commentedLet's please use direct references instead of pass-by-reference. I'm very uncomfortable with it, because:
So let's use an intermediary variable and direct reference to the element:
Comment #8
Stevel CreditAttribution: Stevel commentedThis patch removes all occurences of the pass by reference using &$variable
Comment #9
Stevel CreditAttribution: Stevel commentedForgot to add the modified test in the latest patches.
Comment #10
Stevel CreditAttribution: Stevel commentedd.o does not like the ANSI coloring (which makes the diff show colored in the terminal), so removing it :)
Comment #11
Damien Tournoud CreditAttribution: Damien Tournoud commentedLet's get this in.
Comment #12
Dries CreditAttribution: Dries commentedLooks good to me. Committed to CVS HEAD.