Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2
    • Fix Version/s: 2.1.3
    • Component/s: Drivers
    • Security Level: All
    • Labels:
      None
    • Environment:
      OCI8 Driver
      IBMDB" Driver

      Description

      $test = "foo ' bar";
      $quoted = $conn->quote( $test );
      echo $quoted;

      RESULT: 'foo ' bar'
      EXPECTED: 'foo \' bar'

        Activity

        Hide
        Benjamin Eberlei added a comment - - edited

        Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7

        This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

        Show
        Benjamin Eberlei added a comment - - edited Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7 This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.
        Hide
        Benjamin Eberlei added a comment -

        Backported to 2.0.9

        Show
        Benjamin Eberlei added a comment - Backported to 2.0.9
        Show
        Guilherme Blanco added a comment - Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

          People

          • Assignee:
            Guilherme Blanco
            Reporter:
            Oliver Mueller
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: