Fix GH-13354: ext/pgsql: pg_execute, pg_send_query_params and_send_ex…

…ecute null value by reference.

For these, when passing null values by refence, queries return erroneous values unlike
pg_query_params behaving as expected.

close GH-13355.

NEWS

@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug #75712 (getenv in php-fpm should not read $_ENV, $_SERVER).
     (Jakub Zelenka)
 
+- PGSQL:
+  . Fixed bug GH-13354 (pg_execute/pg_send_query_params/pg_send_execute
+    with null value passed by reference). (George Barbarosie)
+
 - Standard:
   . Fixed array key as hash to string (case insensitive) comparison typo
     for the second operand buffer size (albeit unused for now). (A. Slepykh)

ext/pgsql/pgsql.c

@@ -1288,7 +1288,7 @@ PHP_FUNCTION(pg_execute)
 		params = (char **)safe_emalloc(sizeof(char *), num_params, 0);
 
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pv_param_arr), tmp) {
-
+			ZVAL_DEREF(tmp);
 			if (Z_TYPE_P(tmp) == IS_NULL) {
 				params[i] = NULL;
 			} else {
@@ -3653,7 +3653,7 @@ PHP_FUNCTION(pg_send_query_params)
 		params = (char **)safe_emalloc(sizeof(char *), num_params, 0);
 
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pv_param_arr), tmp) {
-
+			ZVAL_DEREF(tmp);
 			if (Z_TYPE_P(tmp) == IS_NULL) {
 				params[i] = NULL;
 			} else {
@@ -3820,7 +3820,7 @@ PHP_FUNCTION(pg_send_execute)
 		params = (char **)safe_emalloc(sizeof(char *), num_params, 0);
 
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pv_param_arr), tmp) {
-
+			ZVAL_DEREF(tmp);
 			if (Z_TYPE_P(tmp) == IS_NULL) {
 				params[i] = NULL;
 			} else {

ext/pgsql/tests/gh13354.phpt

@@ -0,0 +1,80 @@
+--TEST--
+GH-13354 (null-by-reference handling in pg_execute, pg_send_query_params, pg_send_execute)
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include 'config.inc';
+
+$db = pg_connect($conn_str);
+$val = null;
+
+$query = 'SELECT $1::text IS NULL;';
+$params_null = [null];
+$params_null_by_ref = [&$val];
+
+pg_prepare($db, 'test', $query);
+
+
+// method 1, pg_execute
+$val = null;
+$res = pg_execute($db, 'test', $params_null);
+echo "pg_execute, null value: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+$res = pg_execute($db, 'test', $params_null_by_ref);
+echo "pg_execute, null value by reference: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+
+// method 2, pg_query_params
+$res = pg_query_params($db, $query, $params_null);
+echo "pg_query_params, null value: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+$res = pg_query_params($db, $query, $params_null_by_ref);
+echo "pg_query_params, null value by reference: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+
+// method 3, pg_send_query_params
+$res = pg_send_query_params($db, $query, $params_null);
+pg_consume_input($db);
+$res = pg_get_result($db);
+echo "pg_send_query_params, null value: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+$res = pg_send_query_params($db, $query, $params_null_by_ref);
+pg_consume_input($db);
+$res = pg_get_result($db);
+echo "pg_send_query_params, null value by reference: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+
+// method 4, pg_send_prepare, pg_send_execute
+pg_send_execute($db, 'test', $params_null);
+pg_consume_input($db);
+$res = pg_get_result($db);
+echo "pg_send_execute, null value: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+pg_send_execute($db, 'test', $params_null_by_ref);
+pg_consume_input($db);
+$res = pg_get_result($db);
+echo "pg_send_execute, null value by reference: " . pg_fetch_result($res, 0, 0) . "\n";
+pg_free_result($res);
+
+pg_close($db);
+
+?>
+--EXPECT--
+pg_execute, null value: t
+pg_execute, null value by reference: t
+pg_query_params, null value: t
+pg_query_params, null value by reference: t
+pg_send_query_params, null value: t
+pg_send_query_params, null value by reference: t
+pg_send_execute, null value: t
+pg_send_execute, null value by reference: t