Doctrine DBAL

Quoting allows SQL injections

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.1.2
  • Fix Version/s: 2.0.9, 2.1.3
  • Component/s: Drivers
  • Security Level: All
  • Labels:
    None
  • Environment:
    OCI8 Driver
    IBMDB" Driver

Description

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

Activity

Ascending order - Click to sort in descending order
Guilherme Blanco made changes -
Field Original Value New Value
Status Open [ 1 ] Resolved [ 5 ]
Assignee Benjamin Eberlei [ beberlei ] Guilherme Blanco [ guilhermeblanco ]
Fix Version/s 2.1.3 [ 10162 ]
Resolution Fixed [ 1 ]
Benjamin Eberlei made changes -
Fix Version/s 2.0.9 [ 10168 ]
Benjamin Eberlei made changes -
Security Security Issues [ 10001 ] All [ 10000 ]
Benjamin Eberlei made changes -
Workflow jira [ 13011 ] jira-feedback2 [ 17749 ]
Benjamin Eberlei made changes -
Workflow jira-feedback2 [ 17749 ] jira-feedback3 [ 20104 ]

People

  • Assignee:
    Guilherme Blanco
    Reporter:
    Oliver Mueller
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: