Doctrine DBAL
  1. Doctrine DBAL
  2. DBAL-111

MySQL Driver possibly subject to sql injections with PDO::quote()

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-BETA2, 2.0.0-BETA3, 2.0.0-BETA4, 2.0.0-RC1-RC3, 2.0-RC4, 2.0-RC5, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1
    • Fix Version/s: 2.0.4, 2.0.5, 2.1
    • Component/s: Drivers
    • Labels:
      None
    • Environment:
      MySQL Drivers

      Description

      Prior to 5.3.6, the MySQL PDO driver ignored the character set parameter to options. Due to MySQL's C api (and MySQLND), this is required for the proper function of mysql_real_escape_string() (the C API call). Since PDO uses the mres() C call for PDO::quote(), this means that the quoted string does not take into account the connection character set.

      Starting with 5.3.6, that was fixed. So now if you pass the proper character set to PDO via driver options, sql injection is impossible while using the PDO::quote() api call.

      PDO proof of concept
      $dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK;';
      $pdo = new PDO($dsn, $user, $pass);
      $pdo->exec('SET NAMES GBK');
      $string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
      $sql = "SELECT TABLE_NAME
                  FROM INFORMATION_SCHEMA.TABLES
                  WHERE TABLE_NAME LIKE ".$pdo->quote($string)." LIMIT 1;";
      $stmt = $pdo->query($sql);
      var_dump($stmt->rowCount());
      

      Expected Result: `int(0)`.
      Actual Result: `int(1)`.

      There are 2 issues to fix. First, the documentation does not indicate that you can pass the `charset` option to the MySQL Driver. This should be fixed so that users are given the proper option to set character sets.

      Secondly, `Connection::setCharset()` should be modified for MySQL to throw an exception, since the character set is only safely setable using the DSN with PDO. This is a limitation of the driver and could be asked as a feature request for the PHP core. Either that, or a big warning should be put on the documentation of the API to indicate the unsafe character set change

        Activity

        Hide
        Anthony Ferrara added a comment -

        Note: issued same bug report for Doctrine1 as it's also affected: http://www.doctrine-project.org/jira/browse/DC-998

        Show
        Anthony Ferrara added a comment - Note: issued same bug report for Doctrine1 as it's also affected: http://www.doctrine-project.org/jira/browse/DC-998
        Hide
        Anthony Ferrara added a comment -

        Also note that prepared statements in PDO will suffer the same bug since PDO always emulates prepared statements for the mysql driver (even though it fully supports them in the source). See: http://bugs.php.net/bug.php?id=54638

        Show
        Anthony Ferrara added a comment - Also note that prepared statements in PDO will suffer the same bug since PDO always emulates prepared statements for the mysql driver (even though it fully supports them in the source). See: http://bugs.php.net/bug.php?id=54638
        Hide
        Benjamin Eberlei added a comment -

        Fixed, updated the docs

        Show
        Benjamin Eberlei added a comment - Fixed, updated the docs

          People

          • Assignee:
            Benjamin Eberlei
            Reporter:
            Anthony Ferrara
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: