* PHP-8.5:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.4:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.3:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* Reduce code bloat in arginfo by using specialised string releases
Comparing this patch to master (c7da728574),
with a plain configure command without any options:
```
text data bss dec hex filename
20683738 1592400 137712 22413850 156021a sapi/cli/php
20688522 1592400 137712 22418634 15614ca sapi/cli/php_old
```
We see a minor reduction of 0.023% in code size.
* Also use true for the other initialization line
* Also use specialized code for consts
As stated in the UPGRADING, using the passthrough ("single-row") mode of libpq (introduced in #15287)
forbids passing a new query while the current one's results have not been entirely consumed.
… But I didn't notice that ext/pdo_pgsql internally used new queries to fetch metadata (example use case:
a call to getColumnMeta() while fetch()ing row by row will interleave the getColumnMeta()-triggered
internal query to the database, with the results fetching for the user-called query).
This PR makes those internal calls return NULL for non-essential metadata, instead of letting libpq abort the user-called query.
It moreover includes a small tweak to table oid-to-name translation, with a 1-slot cache.
This may by chance allow the internal call to return something instead of NULL,
but it will nonetheless avoid 30 server calls to get the table name of 30 columns of the same table.
optimize calls to foreach(columns of the same table) getColumnMeta()
- each call queried the DB to know the name associated with the table's OID:
cache the result between two calls
- make pdo_pgsql_translate_oid_to_table higher-level,
with the last parameter being the handle instead of the raw connection;
thus the statement is cleaner, letting the handle do all memory handling on the table oid-to-name translation cache
(which by the way is a driver feature more than a statement one)
close GH-16249
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
Make Pdo\PgSql accept Pdo::setAttribute(PDO::ATTR_PREFETCH, 0) to enter libpq's single row mode.
This avoids storing the whole result set in memory before being able to call the first fetch().
close GH-15750
PQclosePrepared allows the statement's name to be reused thus allowing
cache solutions to work properly ; whereas, for now, the `DEALLOCATE
<statement>` query is used which free entirely the statement's resources.
close GH-13316
A common convention is to name internal C header files as `*_int.h`.
Since a couple of these are actually installed, we add comments that
this is not supposed to happen, (a) to avoid installing further
internal headers, and (b) to pave the way to fix this in the next major
PHP version.
Somewhat special is php_gmp_int.h, where "int" is meant as abbreviation
for "interface".
Another common convention is appending `_priv` or `_private`, but since
there have not been any issues regarding these headers so far, we
refrain from adding respective comments to these headers.
Anyhow, it might be a good idea to introduce some common naming
convention for such internal/private headers.
David Carlier