From 8e3ab806675d86ba0fb03b350d43dc45f51703e9 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Tue, 16 Jun 2026 16:27:53 -0400
Subject: [PATCH 1/3] Remove stray printf() on invalid DSN version in pdo_dblib

When the connection string specified an unrecognized TDS version,
pdo_dblib_handle_factory() wrote the message to stdout via printf()
before raising the proper PDO error, corrupting SAPI output. The
pdo_raise_impl_error() call right below already reports the condition;
drop the printf().

Closes GH-22345
---
 ext/pdo_dblib/dblib_driver.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
index 0055dcb03b3c..00ecf2d232cd 100644
--- a/ext/pdo_dblib/dblib_driver.c
+++ b/ext/pdo_dblib/dblib_driver.c
@@ -539,7 +539,6 @@ static int pdo_dblib_handle_factory(pdo_dbh_t *dbh, zval *driver_options)
 		}
 
 		if (i==nvers) {
-			printf("Invalid version '%s'\n", vars[5].optval);
 			pdo_raise_impl_error(dbh, NULL, "HY000", "PDO_DBLIB: Invalid version specified in connection string.");
 			goto cleanup; /* unknown version specified */
 		}

From 1a5a81ca9f15d1d46d9b705e2f66aec4e9d41cc0 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Tue, 16 Jun 2026 16:28:31 -0400
Subject: [PATCH 2/3] Fix buffer overflow converting @@IDENTITY in pdo_dblib
 lastInsertId

dblib_handle_last_id() converted the @@IDENTITY value into a 32-byte
buffer with dbconvert()'s destination length set to -1, which disables
FreeTDS's destination bounds check. A numeric(p,0) IDENTITY column with
precision over ~30 produces a textual form longer than 32 bytes,
overflowing the buffer. Size the buffer for the widest @@IDENTITY
(numeric(38,0): 38 digits, sign, NUL) and pass the real destination
length so dbconvert() stays in bounds, mirroring the explicit-destlen
fix already in pdo_dblib_stmt_stringify_col().

Closes GH-22348
---
 ext/pdo_dblib/dblib_driver.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
index 00ecf2d232cd..d1d849168bab 100644
--- a/ext/pdo_dblib/dblib_driver.c
+++ b/ext/pdo_dblib/dblib_driver.c
@@ -267,8 +267,8 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name)
 		return NULL;
 	}
 
-	id = emalloc(32);
-	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)-1);
+	id = emalloc(40);
+	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40);
 	dbcancel(H->link);
 
 	ret_id = zend_string_init(id, len, 0);

From 47f060ca330e16f9ea9b7b2b3edf5c4861219128 Mon Sep 17 00:00:00 2001
From: Jorg Sowa <jorg.sowa@gmail.com>
Date: Tue, 16 Jun 2026 00:15:53 +0200
Subject: [PATCH 3/3] Ignore leading namespace separator in
 ReflectionParameter::__construct()

Strip a leading '\\' before lowercasing, matching ReflectionFunction::__construct().

Fixes GH-22324
Closes GH-22325
---
 NEWS                                            |  3 +++
 ext/reflection/php_reflection.c                 | 17 ++++++++++++++---
 .../ReflectionParameter_leading_backslash.phpt  | 17 +++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)
 create mode 100644 ext/reflection/tests/ReflectionParameter_leading_backslash.phpt

diff --git a/NEWS b/NEWS
index 2ea7143e39e6..1a069963bd59 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.24
 
+- Reflection:
+  . Fixed bug GH-22324 (Ignore leading namespace separator in
+    ReflectionParameter::__construct()). (jorgsowa)
 
 02 Jul 2026, PHP 8.4.23
 
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 1f5b448f85fe..eba5600c16a2 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -2480,9 +2480,20 @@ ZEND_METHOD(ReflectionParameter, __construct)
 	switch (Z_TYPE_P(reference)) {
 		case IS_STRING:
 			{
-				zend_string *lcname = zend_string_tolower(Z_STR_P(reference));
-				fptr = zend_hash_find_ptr(EG(function_table), lcname);
-				zend_string_release(lcname);
+				zend_string *fname = Z_STR_P(reference);
+				zend_string *lcname;
+				if (UNEXPECTED(ZSTR_VAL(fname)[0] == '\\')) {
+					/* Ignore leading "\" */
+					ALLOCA_FLAG(use_heap)
+					ZSTR_ALLOCA_ALLOC(lcname, ZSTR_LEN(fname) - 1, use_heap);
+					zend_str_tolower_copy(ZSTR_VAL(lcname), ZSTR_VAL(fname) + 1, ZSTR_LEN(fname) - 1);
+					fptr = zend_fetch_function(lcname);
+					ZSTR_ALLOCA_FREE(lcname, use_heap);
+				} else {
+					lcname = zend_string_tolower(fname);
+					fptr = zend_fetch_function(lcname);
+					zend_string_release(lcname);
+				}
 				if (!fptr) {
 					zend_throw_exception_ex(reflection_exception_ptr, 0,
 						"Function %s() does not exist", Z_STRVAL_P(reference));
diff --git a/ext/reflection/tests/ReflectionParameter_leading_backslash.phpt b/ext/reflection/tests/ReflectionParameter_leading_backslash.phpt
new file mode 100644
index 000000000000..b0a7827c2764
--- /dev/null
+++ b/ext/reflection/tests/ReflectionParameter_leading_backslash.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ReflectionParameter::__construct(): a leading "\" in the function name is ignored
+--FILE--
+<?php
+
+function demo(string $arg) {}
+
+$p = new ReflectionParameter("\\demo", 0);
+var_dump($p->getName());
+
+$p = new ReflectionParameter("demo", 0);
+var_dump($p->getName());
+
+?>
+--EXPECT--
+string(3) "arg"
+string(3) "arg"