From a38277a46494fd0fa8aff8b8ac4b8cdf7d63c6ca Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 21:55:31 +0200
Subject: [PATCH] Fix GH-17346: PDOStatement::$queryString "readonly" is not
 properly implemented

We shouldn't use a cache slot while writing as it would allow to bypass
the custom "read only" behaviour. (Note that this is not a "real"
readonly, it is more like a "writeonce")
---
 ext/pdo/pdo_stmt.c         |  1 +
 ext/pdo/tests/gh17346.phpt | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 ext/pdo/tests/gh17346.phpt

diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
index e2723c703f0ac..674a4bfadaaeb 100644
--- a/ext/pdo/pdo_stmt.c
+++ b/ext/pdo/pdo_stmt.c
@@ -1931,6 +1931,7 @@ static zval *dbstmt_prop_write(zend_object *object, zend_string *name, zval *val
 			zend_throw_error(NULL, "Property queryString is read only");
 			return value;
 		}
+		cache_slot = NULL;
 	}
 	return zend_std_write_property(object, name, value, cache_slot);
 }
diff --git a/ext/pdo/tests/gh17346.phpt b/ext/pdo/tests/gh17346.phpt
new file mode 100644
index 0000000000000..c00be3096a607
--- /dev/null
+++ b/ext/pdo/tests/gh17346.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-17346 (PDOStatement::$queryString "readonly" is not properly implemented)
+--EXTENSIONS--
+pdo
+--SKIPIF--
+<?php
+$dir = getenv('REDIR_TEST_DIR');
+if (false != $dir) die('skip is driver independent');
+?>
+--FILE--
+<?php
+$stmt = new PDOStatement();
+try {
+    for ($i = 0; $i < 10; $i++) {
+        $stmt->queryString = (string) $i;
+    }
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($stmt);
+?>
+--EXPECTF--
+Property queryString is read only
+object(PDOStatement)#%d (1) {
+  ["queryString"]=>
+  string(1) "0"
+}