Quoting allows SQL injections

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.2
Fix Version/s: 2.0.9, 2.1.3
Component/s: Drivers
Security Level: All
Labels:
None
Environment:
OCI8 Driver
IBMDB" Driver

Description

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Guilherme Blanco added a comment - 13/Sep/11 4:51 AM

Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Show

Guilherme Blanco added a comment - 13/Sep/11 4:51 AM Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Guilherme Blanco made changes - 13/Sep/11 4:51 AM

Field	Original Value	New Value
Status	Open [ 1 ]	Resolved [ 5 ]
Assignee	Benjamin Eberlei [ beberlei ]	Guilherme Blanco [ guilhermeblanco ]
Fix Version/s		2.1.3 [ 10162 ]
Resolution		Fixed [ 1 ]

Hide

Permalink

Benjamin Eberlei added a comment - 25/Sep/11 6:42 PM

Backported to 2.0.9

Show

Benjamin Eberlei added a comment - 25/Sep/11 6:42 PM Backported to 2.0.9

Benjamin Eberlei made changes - 25/Sep/11 6:42 PM

Fix Version/s

2.0.9 [ 10168 ]

Benjamin Eberlei made changes - 25/Sep/11 6:58 PM

Security

Security Issues [ 10001 ]

All [ 10000 ]

Hide

Permalink

Benjamin Eberlei added a comment - 25/Sep/11 7:07 PM - edited

Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

Show

Benjamin Eberlei added a comment - 25/Sep/11 7:07 PM - edited Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7 This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

Benjamin Eberlei made changes - 07/Jul/12 2:10 PM

Workflow

jira [ 13011 ]

jira-feedback2 [ 17749 ]

Benjamin Eberlei made changes - 08/Jul/12 6:23 AM

Workflow

jira-feedback2 [ 17749 ]

jira-feedback3 [ 20104 ]

This list may be incomplete, as errors occurred whilst retrieving source from linked applications:

Request to http://www.doctrine-project.org/fisheye/ failed: Error in remote call to 'FishEye 0 (http://www.doctrine-project.org/fisheye/)' (http://www.doctrine-project.org/fisheye) [AbstractRestCommand{path='/rest-service-fe/search-v1/crossRepositoryQuery', params={query=DBAL-164, expand=changesets[-21:-1].revisions[0:29],reviews}, methodType=GET}] : Received status code 503 (Service Temporarily Unavailable)

People

Assignee:

Guilherme Blanco

Reporter:

Oliver Mueller

Vote (0)

Watch (0)

Dates

Created:

10/Sep/11 2:31 PM

Updated:

25/Sep/11 7:07 PM

Resolved:

13/Sep/11 4:51 AM