Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.5.0b5

Request #10986 Prepared statement names can collide on postgresql
Submitted: 2007-05-09 01:29 UTC
From: pberry Assigned: davidc
Status: Closed Package: MDB2 (version 2.4.1)
PHP Version: 5.1.6 OS: Linux
Roadmaps: (Not assigned)    
Subscription  


 [2007-05-09 01:29 UTC] pberry (Phil Berry)
Description: ------------ The code to create a prepared statement name is not random enough and can cause collisions generating the error - [Native message: ERROR: prepared statement "mdb2_statement_pgsql_422336a461d3e76bb160213b37d39917" already exists] The code resides in pgsql.php Test script: --------------- //The following code is the culprit $statement_name = sprintf($this->options['statement_format'], $this->phptype, md5(time() + rand())); //This is better $statement_name = sprintf($this->options['statement_format'], $this->phptype, sha1(microtime() + mt_rand()));

Comments

 [2007-05-09 04:03 UTC] davidc (David Coallier)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2007-05-09 04:03 UTC] davidc (David Coallier)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2007-06-09 17:29 UTC] mystic414 (Adam Parod)
Is there a reason the statement name is being randomly generated? Even though this patch is more random, it could still potentially collide. The chances of a collision go way up if you're doing many thousands of queries in a row (something I have to do from time to time). Why not add a new member to the MDB2_Driver_pgsql class: var $prep_statement_counter = 1; and then increment the counter for each new prepared statement: $statement_name = sprintf($this->options['statement_format'], $this->phptype, $this->prep_statement_counter++); No more collisions, no matter how many queries you run!
 [2008-08-01 09:50 UTC] ikke007 (Mark van Straten)
microtime() returns the current Unix timestamp with microseconds. This function is only available on operating systems that support the gettimeofday() system call. I personally do not know which systems do not support the gettimeofday() system call but another patch is the following: <?php class MDB2_Statement_Common{ function __destruct(){ $this->free();//free prepared statement handle } } ?>
 [2008-10-15 10:00 UTC] michaelmenge (Michael Menge)
I was hit by this bug, as there is no fix in the stable release. Pleas backport the fix to the stable release or if this is to complicated considdre the following option. ----------------------------- The real problem is time() + rand() and microtime() + mt_rand() are both addition of too integer values and if the script does many prepared statements there will be a collision. time() . rand() or microtime() . mt_rand() are much better as there will append the time() sting with an random number.