-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is possible to mix PDO sub-classes with different dsn and crash PHP #16131
Comments
I had the same idea of testing that just recently. There is some code that is intended to verify this: Lines 222 to 276 in ebee8df
|
Ah, it's checked when calling
correctly results in:
|
sorry for the bug, I'll take a stab at it tonight |
We now use the create driver-specific codepath without an object to change, so we go through the exceptions thrown there when there's any mismatches between the class being used and the connection string. The class entry fetch in the entry points was also wrong and did not get a valid class entry, this was also fixed. A test was added for this, although I'm not pleased by the fact it needs two real PDO drivers. A better way to test this would be nice, although it does match the original sample case.
We now use the create driver-specific codepath without an object to change, so we go through the exceptions thrown there when there's any mismatches between the class being used and the connection string. The class entry fetch in the entry points was also wrong and did not get a valid class entry, this was also fixed. A test was added for this, although I'm not pleased by the fact it needs two real PDO drivers. A better way to test this would be nice, although it does match the original sample case.
I did take a stab at it as well (in
|
@NattyNarwhal thank you for attempting to fix the issue! My changes are very similar to yours, but a small trick is needed to really make it work for userland subclasses. I will likely have time to create a PR tonight or tomorrow morning. |
I filed #16167 that is supposed to fix the problem. I didn't yet have time for tidying it up, so I'm leaving it in draft for now. The "small trick" I mentioned was to add the explicit constructor for each implementation. Doing so made it possible not to break subclasses of internal PDO classes. |
…istent connection
* PHP-8.4: Fix GH-16131: Prevent mixing PDO sub-classes with different DSN
Description
PHP 8.4 added PDO driver specific sub-classes and it is now possible to write the following code, which crashes the PHP process:
The dsn requested a sqlite driver, but the PDO sub-class is
Pdo\Mysql
, which assumes that it has a mysql driver and can use it causing a crash.pdo_mysql.c line 99:
Expected result
Either an exception throw when the PDO sub-class and dsn don't match or not possible to create sub-class objects directly (only with
PDO::connect
).PHP Version
PHP 8.4.0RC1
Operating System
No response
The text was updated successfully, but these errors were encountered: