Fix #64531: SQLite3Result::fetchArray runs the query again

cmb69 · maaarghk · commit 3553d71492bd · 2022-07-07T01:05:27.000+01:00
`SQLite3::query()` and `SQLite3Stmt::execute()` call `sqlite3_step()`
to determine whether to return a `SQLite3Result` or `false`.  Then they
call `sqlite3_reset()`, so that `SQLite3Result::fetchArray()` can fetch
values from the first row.  This obviously leads to issues if the SQL
query causes any side effects.  We solve this by not calling
`sqlite_reset()` anymore, but instead storing the last fetch result
code on the statement object, and to use this in `::fetchArray()` when
the first row is to be fetched.

This also allows us to prevent an SQLite3 quirk which automatically
resets a statement when `sqlite_fetch()` is called after the last fetch
returned anything else than `SQLITE_ROW`; thus fixing bug #79293.
diff --git a/ext/sqlite3/php_sqlite3_structs.h b/ext/sqlite3/php_sqlite3_structs.h
@@ -128,7 +128,9 @@ struct _php_sqlite3_stmt_object  {
 	php_sqlite3_db_object *db_obj;
 	zval db_obj_zval;
 
-	int initialised;
+	unsigned initialised:1;
+	unsigned has_stepped:1;
+	unsigned last_step_result:30;
 
 	/* Keep track of the zvals for bound parameters */
 	HashTable *bound_params;
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
@@ -591,6 +591,9 @@ PHP_METHOD(SQLite3, query)
 	ZVAL_OBJ(&result->stmt_obj_zval, Z_OBJ(stmt));
 
 	return_code = sqlite3_step(result->stmt_obj->stmt);
+	result->stmt_obj->has_stepped = 1;
+	ZEND_ASSERT(return_code >= 0 && return_code < (1 << 30));
+	result->stmt_obj->last_step_result = return_code;
 
 	switch (return_code) {
 		case SQLITE_ROW: /* Valid Row */
@@ -601,7 +604,6 @@ PHP_METHOD(SQLite3, query)
 			free_item->stmt_obj = stmt_obj;
 			free_item->stmt_obj_zval = stmt;
 			zend_llist_add_element(&(db_obj->free_list), &free_item);
-			sqlite3_reset(result->stmt_obj->stmt);
 			break;
 		}
 		default:
@@ -610,6 +612,7 @@ PHP_METHOD(SQLite3, query)
 			}
 			sqlite3_finalize(stmt_obj->stmt);
 			stmt_obj->initialised = 0;
+			stmt_obj->has_stepped = 0;
 			zval_ptr_dtor(return_value);
 			RETURN_FALSE;
 	}
@@ -1432,6 +1435,7 @@ PHP_METHOD(SQLite3Stmt, reset)
 	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
 	SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
 
+	stmt_obj->has_stepped = 0;
 	if (sqlite3_reset(stmt_obj->stmt) != SQLITE_OK) {
 		php_sqlite3_error(stmt_obj->db_obj, "Unable to reset statement: %s", sqlite3_errmsg(sqlite3_db_handle(stmt_obj->stmt)));
 		RETURN_FALSE;
@@ -1782,12 +1786,14 @@ PHP_METHOD(SQLite3Stmt, execute)
 	}
 
 	return_code = sqlite3_step(stmt_obj->stmt);
+	stmt_obj->has_stepped = 1;
+	ZEND_ASSERT(return_code >= 0 && return_code < (1 << 30));
+	stmt_obj->last_step_result = return_code;
 
 	switch (return_code) {
 		case SQLITE_ROW: /* Valid Row */
 		case SQLITE_DONE: /* Valid but no results */
 		{
-			sqlite3_reset(stmt_obj->stmt);
 			object_init_ex(return_value, php_sqlite3_result_entry);
 			result = Z_SQLITE3_RESULT_P(return_value);
 
@@ -1800,9 +1806,6 @@ PHP_METHOD(SQLite3Stmt, execute)
 
 			break;
 		}
-		case SQLITE_ERROR:
-			sqlite3_reset(stmt_obj->stmt);
-			ZEND_FALLTHROUGH;
 		default:
 			if (!EG(exception)) {
 				php_sqlite3_error(stmt_obj->db_obj, "Unable to execute statement: %s", sqlite3_errmsg(sqlite3_db_handle(stmt_obj->stmt)));
@@ -1941,7 +1944,14 @@ PHP_METHOD(SQLite3Result, fetchArray)
 
 	SQLITE3_CHECK_INITIALIZED(result_obj->db_obj, result_obj->stmt_obj->initialised, SQLite3Result)
 
-	ret = sqlite3_step(result_obj->stmt_obj->stmt);
+	if (result_obj->stmt_obj->has_stepped) {
+		ret = result_obj->stmt_obj->last_step_result;
+	} else {
+		ret = sqlite3_step(result_obj->stmt_obj->stmt);
+		result_obj->stmt_obj->has_stepped = 1;
+		ZEND_ASSERT(ret >= 0 && ret < (1 << 30));
+		result_obj->stmt_obj->last_step_result = ret;
+	}
 	switch (ret) {
 		case SQLITE_ROW:
 			/* If there was no return value then just skip fetching */
@@ -1985,6 +1995,7 @@ PHP_METHOD(SQLite3Result, fetchArray)
 					zend_symtable_add_new(Z_ARR_P(return_value), result_obj->column_names[i], &data);
 				}
 			}
+			result_obj->stmt_obj->has_stepped = 0;
 			break;
 
 		case SQLITE_DONE:
@@ -2021,6 +2032,7 @@ PHP_METHOD(SQLite3Result, reset)
 
 	sqlite3result_clear_column_names_cache(result_obj);
 
+	result_obj->stmt_obj->has_stepped = 0;
 	if (sqlite3_reset(result_obj->stmt_obj->stmt) != SQLITE_OK) {
 		RETURN_FALSE;
 	}
@@ -2047,6 +2059,7 @@ PHP_METHOD(SQLite3Result, finalize)
 		zend_llist_del_element(&(result_obj->db_obj->free_list), &result_obj->stmt_obj_zval,
 			(int (*)(void *, void *)) php_sqlite3_compare_stmt_zval_free);
 	} else {
+		result_obj->stmt_obj->has_stepped = 0;
 		sqlite3_reset(result_obj->stmt_obj->stmt);
 	}
 
@@ -2273,6 +2286,7 @@ static void php_sqlite3_result_object_free_storage(zend_object *object) /* {{{ *
 	if (!Z_ISNULL(intern->stmt_obj_zval)) {
 		if (intern->stmt_obj && intern->stmt_obj->initialised) {
 			sqlite3_reset(intern->stmt_obj->stmt);
+			intern->stmt_obj->has_stepped = 0;
 		}
 
 		zval_ptr_dtor(&intern->stmt_obj_zval);
@@ -2312,6 +2326,7 @@ static zend_object *php_sqlite3_stmt_object_new(zend_class_entry *class_type) /*
 	object_properties_init(&intern->zo, class_type);
 
 	intern->zo.handlers = &sqlite3_stmt_object_handlers;
+	intern->has_stepped = 0;
 
 	return &intern->zo;
 }
diff --git a/ext/sqlite3/tests/bug64531_1.phpt b/ext/sqlite3/tests/bug64531_1.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #64531 (SQLite3Result::fetchArray runs the query again)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip sqlite3 extension not available');
+?>
+--FILE--
+<?php
+$conn = new SQLite3(':memory:');
+$conn->exec("CREATE TABLE foo (id INT)");
+
+$res = $conn->query("INSERT INTO foo VALUES (1)");
+
+$res->fetchArray();
+$res->fetchArray();
+
+$res = $conn->query("SELECT * FROM foo");
+while (($row = $res->fetchArray(SQLITE3_NUM))) {
+    var_dump($row);
+}
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
diff --git a/ext/sqlite3/tests/bug64531_2.phpt b/ext/sqlite3/tests/bug64531_2.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #64531 (SQLite3Result::fetchArray runs the query again)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip sqlite3 extension not available');
+?>
+--FILE--
+<?php
+function testing($val) {
+	echo "Testing with: $val\n";
+	return true;
+}
+
+$conn = new SQLite3(':memory:');
+$conn->exec("CREATE TABLE foo (id INT)");
+for ($i = 1; $i <= 3; $i++) {
+    $conn->exec("INSERT INTO foo VALUES ($i)");
+}
+$conn->createFunction('testing', 'testing', 1);
+
+$res = $conn->query('SELECT * FROM foo WHERE testing(id)');
+$arr = $res->fetchArray();
+$arr = $res->fetchArray();
+$arr = $res->fetchArray();
+$arr = $res->fetchArray();
+?>
+--EXPECT--
+Testing with: 1
+Testing with: 2
+Testing with: 3
diff --git a/ext/sqlite3/tests/bug79293.phpt b/ext/sqlite3/tests/bug79293.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #79293 (SQLite3Result::fetchArray() may fetch rows after last row)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip sqlite3 extension not available');
+?>
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+$db->exec("CREATE TABLE foo (bar INT)");
+for ($i = 1; $i <= 3; $i++) {
+    $db->exec("INSERT INTO foo VALUES ($i)");
+}
+
+$res = $db->query("SELECT * FROM foo");
+while (($row = $res->fetchArray(SQLITE3_ASSOC))) {
+    var_dump($row);
+}
+var_dump($res->fetchArray(SQLITE3_ASSOC));
+?>
+--EXPECT--
+array(1) {
+  ["bar"]=>
+  int(1)
+}
+array(1) {
+  ["bar"]=>
+  int(2)
+}
+array(1) {
+  ["bar"]=>
+  int(3)
+}
+bool(false)
