After upgrading to 5.1.0: Strings with null bytes cannot be escaped. Use the binary escape option.

[ahoiroman]

Telescope Version

5.1.0

Laravel Version

11

PHP Version

8.3

Database Driver & Version

MariaDB

Description

After upgrading laravel/telescope to 5.1.0, I am getting a RuntimeException:

Strings with null bytes cannot be escaped. Use the binary escape option.

The code that causes this is the following:

$uuid = fake()->uuid();

return Cache::remember("user-$uuid", now()->addHour(), function () {
  return User::create([
    "email" => fake()->email(),
    "password" => bcrypt(fake()->password()),
    "username" => fake()->username()
  ]);
});

The change that introduced this behavior is this: https://github.com/laravel/telescope/pull/1486/files#diff-397191004b8c1dbda4835ec7eda183402511fcb376c12796072958be5ead9f0c

Pinning telescope to 5.0.5 solves the issue for now.

Steps To Reproduce

Create a new Laravel project and use tinker(well) to run this code:

$uuid = fake()->uuid();

return Cache::remember("user-$uuid", now()->addHour(), function () {
  return User::create([
    "email" => fake()->email(),
    "password" => bcrypt(fake()->password()),
    "username" => fake()->username()
  ]);
});

[Rockylars]

I encountered similar issues through any small Model update that made Revisionable call Telescope and fail on it as a Datetime somehow ended up in the escape() function.

Had to lock it to <5.1 for now.

[driesvints]

@morloderex could you provide a fix for this? Otherwise we'll have to revert that PR.

[morloderex]

@driesvints Sorry for the late answer!
This issue is something i believe should be fixed in the framework by somehow detecting if the parameter binding while looping should use binary escaping or not since that is not done within substituteBindingsIntoRawSql.

@tpetry can you elaborate a bit more on why you didn't choose get and implement the binary flag for parameter bindings?

[billriess]

Just wanted to chime in that I also noticed this same bug. It was causing our develop database to max connections and eventually crash our vapor environment.

[tpetry]

@tpetry can you elaborate a bit more on why you didn't choose get and implement the binary flag for parameter bindings?

@morloderex There's currently no way in eloquent to provide flags or hints for parameter bindings. The correct way would be to add a binary cast to Eloquent. Its not much work as all the building blocks already exist. But I've just not have any project anymore that stores binary data in the database so I hadn't any need yet to implement it.

[driesvints]

I reverted this PR for now to unblock people. @morloderex would love a new PR but with the things people mentioned here in mind.

[JohnnyQ352]

Guys the tool is not the problem. It is the older 5.x Laravel code that allowed us to create functions and variables without considering any NULL values for variables or columns within our code calls. so if you had say

public function columbus($user, Request $requedst)
{
// Your code here...
}

You are to redo it like this..

public function columbus($user = null, Request $requedst)
{
// Your code here...
}

and so forth and so on...

In the older Laravel versions we can say

$variable = "a value";

but if it is inside an if statement

if (my_condition){
$variable = "a value";
}

it is not defined at all unless the condition is met so the tool will evaluate it as a string with null bytes instead of a binary with null bytes when it tries to evaluate a condition that was not sent to the function. You can't expect the tool to do everything for you.

In my case I noticed that another tool I used called Pulse, was using the old way of code writing and was giving a crapload of the same error until I checked their code. I simply stop using it and voila..

My point, check your code, validate your data and make sure your variables are pre-defined with null if you need it to be that.

A lot of bool vars can be 0 or 1 as well.

Anyway, just my 2¢

Johnny

[ahoiroman]

To be honest: I dont get your point. At least for my usecase I did not have undefined vars.

if you check my code in the initial post, I dont see any undefined vars at all.