Using output parameter results in invalid data from client memory when not assigned in SP

[mathieuk]

PHP Driver version or file name

5.3.0

SQL Server version

SQL2016

Client operating system

Linux / CentOS 7

PHP version

PHP 7.2.11

Microsoft ODBC Driver version

unixODBC 2.3.6
ODBC Driver 17 for SQL Server

Problem description

When calling a stored procedure with a string output that remains untouched during the stored procedure, the driver will return memory that it shouldn't (but from a specific location).

Expected behavior and actual behavior

Expected:
When the output parameter is not assigned it should become NULL.

Actual:
Memory from a specific location is returned which may return sensitive information. For instance: I've seen my PHP code (from unrelated bits) returned.

Repro code or steps to reproduce

<?php
$pdo = new PDO(/* ... */);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$pdo->query("CREATE OR ALTER PROCEDURE nullOutputBug(@OUTPUT NVARCHAR(255) OUTPUT) AS SELECT 1,2,3");

$output = null;

$stmt = $pdo->prepare("nullOutputBug @OUTPUT = :output");
$stmt->bindParam('output', $output, PDO::PARAM_STR, 32);

$result = $stmt->execute();


echo "========================\n";
echo "Output variable now contains:\n\n";

echo $output;
echo "\n\n========================\n";

?>

This now consistently returns the following for me:

$ php test.php
========================
Output variable now contains:

xecutetputBug(@OUTPUT NVARCHAR(255) OUTPUT) AS SELECT 1,2,3

========================

Varying the parameter length will change the location it reads from and the length of data returned. As said, I've had chunks of my PHP code returned but also (parts) of my database name.

[yitam]

Thanks @mathieuk yes I can reproduce this.

[yitam]

@mathieuk in your particular example when a result set is waiting to be processed (SELECT 1, 2, 3), the output param is not set until closeCursor is called to finalize the output parameter's value. FYI, this page explains why closing the cursor is required

To prove my point, you can try adding $stmt->closeCursor(); or $stmt->nextRowset() right after the line $result = $stmt->execute();

Alternatively, you can change your stored procedure as follows:

$pdo->query("CREATE OR ALTER PROCEDURE nullOutputBug(@OUTPUT NVARCHAR(255) OUTPUT) AS PRINT 1");

I hope this clarifies things.

[mathieuk]

@yitam ok, that makes sense. Thank you for investigating. Maybe the extension should null the memory allocated for $output? Mathieu

…

Op 10 dec. 2018 om 21:07 heeft Jenny Tam ***@***.***> het volgende geschreven: @mathieuk in your particular example when a result set is waiting to be processed (SELECT 1, 2, 3), the output param is not set until closeCursor is called to finalize the output parameter's value. FYI, this page explains why closing the cursor is required To prove my point, you can try adding $stmt->closeCursor(); or $stmt->nextRowset() right after the line $result = $stmt->execute(); Alternatively, you can change your stored procedure as follows: $pdo->query("CREATE OR ALTER PROCEDURE ***@***.*** NVARCHAR(255) OUTPUT) AS PRINT 1"); I hope this clarifies things. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[yitam]

Yes @mathieuk I agree. Looking into this now

[yitam]

Closing the issue. The PR was merged in the 5.6.0.