[DBAL-164] Quoting allows SQL injections Created: 10/Sep/11  Updated: 17/Apr/14  Resolved: 13/Sep/11

Status: Resolved
Project: Doctrine DBAL
Component/s: Drivers
Affects Version/s: 2.1.2
Fix Version/s: 2.1.3
Security Level: All

Type: Bug Priority: Major
Reporter: Oliver Mueller Assignee: Guilherme Blanco
Resolution: Fixed Votes: 0
Labels: None
Environment:

OCI8 Driver
IBMDB" Driver



 Description   

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'



 Comments   
Comment by Guilherme Blanco [ 13/Sep/11 ]

Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Comment by Benjamin Eberlei [ 25/Sep/11 ]

Backported to 2.0.9

Comment by Benjamin Eberlei [ 25/Sep/11 ]

Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

Generated at Sat Nov 29 03:36:26 UTC 2014 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.