mysqli_stmt_bind_param: type mismatch do not raise error

Question

I'm working on a php application I try and succed in using mysqli with that function :

function executeUpdateInsert($SQLStatement, $SQLBindString, $bindValueArray){
$ret = -1;
$dbConnection = getDbConnection();
$stmt =  mysqli_prepare( $dbConnection, $SQLStatement);
$bindParamArray = array_merge(array($stmt, $SQLBindString), $bindValueArray );
call_user_func_array ( mysqli_stmt_bind_param , $bindParamArray );

if( mysqli_stmt_execute($stmt) ) {
    $ret = mysqli_insert_id ($dbConnection);    
    mysqli_stmt_close($stmt);
    $dbConnection->close();
}else{
    mysqli_stmt_close($stmt);
    $dbConnection->close();
}
return $ret;
}

The function call looks like :

executeUpdateInsert( "UPDATE mytable(int1, int2, string2)VALUES (?,?,?)", "iis", array ( 12,42,"string") ) );

This is actually working althought I find a very strange behaviour of that when I try to insert non integer like 125r896 value inside the database. In a perfect world I would expect that mysqli_stmt_execute($stmt) return FALSE and fail, but no it inserts 125 in the integer field instead.

Am i doing something incorrectly or is it the normal behaviour of the statement object in PHP + MySQL?
Because I cleary considere that as a bug and not a feature.

Answer 1

mysqli_stmt_bind_param() does not validate your data, it forces the data to a type. You need to validate that your data is what you expect.