Quoting allows SQL injections

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.2
Fix Version/s: 2.0.9, 2.1.3
Component/s: Drivers
Security Level: All
Labels:
None
Environment:
OCI8 Driver
IBMDB" Driver

Description

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Guilherme Blanco added a comment - 13/Sep/11 4:51 AM

Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Show

Guilherme Blanco added a comment - 13/Sep/11 4:51 AM Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Hide

Permalink

Benjamin Eberlei added a comment - 25/Sep/11 6:42 PM

Backported to 2.0.9

Show

Benjamin Eberlei added a comment - 25/Sep/11 6:42 PM Backported to 2.0.9

Hide

Permalink

Benjamin Eberlei added a comment - 25/Sep/11 7:07 PM - edited

Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

Show

Benjamin Eberlei added a comment - 25/Sep/11 7:07 PM - edited Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7 This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

People

Assignee:

Guilherme Blanco

Reporter:

Oliver Mueller

Vote (0)

Watch (0)

Dates

Created:

10/Sep/11 2:31 PM

Updated:

25/Sep/11 7:07 PM

Resolved:

13/Sep/11 4:51 AM