[DBAL-121] Mapping, decimal returns float. Created: 12/Apr/11  Updated: 14/May/11  Resolved: 14/May/11

Status: Resolved
Project: Doctrine DBAL
Component/s: None
Affects Version/s: 2.0.3
Fix Version/s: 2.0.5

Type: Bug Priority: Major
Reporter: Tom Van Looy Assignee: Benjamin Eberlei
Resolution: Fixed Votes: 0
Labels: None
Environment:

Linux Ubuntu 10.10 x86_64, PHP 5.3.3-1ubuntu9.3, mysql Ver 14.14 Distrib 5.1.49



 Description   

I have a Doctrine 2 entity and the value is mapped like this (with regular getter/setter):

 
/**
 * @Column(type="decimal", precision=40, scale=30)
 */
protected $someValue;

/**
 * @return decimal
 */
public function getSomeValue()
{
    return $this->someValue;
}

/**
 * @param decimal $someValue
 */
public function setSomeValue($someValue)
{
    $this->someValue = $someValue;
}

When I set that value from my code, the value gets written into the database correctly. But, and that is my problem, when I get the value (via getter or \Doctrine\Common\Util\Debug::dump()), it always gives me a number with maximum 14 digits, and it rounds the value. I read the record with the default findById().

eg: with value 1234567890.012345678901234567890123456789 I have 1234567890.0123
eg: with value 890.0123456789012345678901234567890123456 I have 890.01234567890

I of course want all digits, not just 14. The field in MySQL is declared like this:

 
    someValue decimal(40,30) NOT NULL,

When I get the value with raw PHP and mysql_query(), it returns correctly.

It seems like the problem is that Doctrine returns a float: ["someValue":protected]=> float(234567890.01235)

What's wrong, what should I check next, how to fix, any clues?
(also posted on http://stackoverflow.com/questions/5635500/doctrine-2-decimal-can-only-contain-14-digits)



 Comments   
Comment by Benjamin Eberlei [ 12/Apr/11 ]

ah yes, this is a bug.

Comment by Benjamin Eberlei [ 14/May/11 ]

fixed





[DBAL-119] Outdated Console component Created: 11/May/11  Updated: 14/May/11  Resolved: 14/May/11

Status: Resolved
Project: Doctrine DBAL
Component/s: None
Affects Version/s: 2.0.4
Fix Version/s: 2.0.5

Type: Bug Priority: Major
Reporter: Christophe Coevoet Assignee: Benjamin Eberlei
Resolution: Fixed Votes: 0
Labels: None


 Description   

The DBAL submodule uses an outdated version of the Console component (before the switch to private properties). But the Migrations project defines its command using the latest interface which means that it cannot be used with the DBAL out-of-the-box as it calls the getApplication method which does not exist in the old version of the component.



 Comments   
Comment by Benjamin Eberlei [ 14/May/11 ]

Fixed for 2.0.x aswell





[DBAL-118] When speaking about security do not rely on default link in mysql_* function calls Created: 11/May/11  Updated: 14/May/11  Resolved: 14/May/11

Status: Resolved
Project: Doctrine DBAL
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.5

Type: Documentation Priority: Major
Reporter: Ulf Wendel Assignee: Benjamin Eberlei
Resolution: Fixed Votes: 0
Labels: None


 Description   

The documentation about escaping reads:

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:

<?php
$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id) . "'";
$rs = mysql_query($sql);",
http://www.doctrine-project.org/docs/dbal/2.0/en/reference/data-retrieval-and-manipulation.html

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

"string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )",
http://de.php.net/mysql_real_escape_string

Please, change the example:

<?php
$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id, $link) . "'";
$rs = mysql_query($sql);",

($link added)

Thanks!



 Comments   
Comment by Benjamin Eberlei [ 14/May/11 ]

Changed, the new docs will be rolled up sometime this weekend.





[DBAL-111] MySQL Driver possibly subject to sql injections with PDO::quote() Created: 18/Apr/11  Updated: 14/May/11  Resolved: 14/May/11

Status: Resolved
Project: Doctrine DBAL
Component/s: Drivers
Affects Version/s: 2.0.0-BETA2, 2.0.0-BETA3, 2.0.0-BETA4, 2.0.0-RC1-RC3, 2.0-RC4, 2.0-RC5, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1
Fix Version/s: 2.0.4, 2.0.5, 2.1

Type: Bug Priority: Critical
Reporter: Anthony Ferrara Assignee: Benjamin Eberlei
Resolution: Fixed Votes: 0
Labels: None
Environment:

MySQL Drivers



 Description   

Prior to 5.3.6, the MySQL PDO driver ignored the character set parameter to options. Due to MySQL's C api (and MySQLND), this is required for the proper function of mysql_real_escape_string() (the C API call). Since PDO uses the mres() C call for PDO::quote(), this means that the quoted string does not take into account the connection character set.

Starting with 5.3.6, that was fixed. So now if you pass the proper character set to PDO via driver options, sql injection is impossible while using the PDO::quote() api call.

PDO proof of concept
$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK;';
$pdo = new PDO($dsn, $user, $pass);
$pdo->exec('SET NAMES GBK');
$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
$sql = "SELECT TABLE_NAME
            FROM INFORMATION_SCHEMA.TABLES
            WHERE TABLE_NAME LIKE ".$pdo->quote($string)." LIMIT 1;";
$stmt = $pdo->query($sql);
var_dump($stmt->rowCount());

Expected Result: `int(0)`.
Actual Result: `int(1)`.

There are 2 issues to fix. First, the documentation does not indicate that you can pass the `charset` option to the MySQL Driver. This should be fixed so that users are given the proper option to set character sets.

Secondly, `Connection::setCharset()` should be modified for MySQL to throw an exception, since the character set is only safely setable using the DSN with PDO. This is a limitation of the driver and could be asked as a feature request for the PHP core. Either that, or a big warning should be put on the documentation of the API to indicate the unsafe character set change



 Comments   
Comment by Anthony Ferrara [ 19/Apr/11 ]

Note: issued same bug report for Doctrine1 as it's also affected: http://www.doctrine-project.org/jira/browse/DC-998

Comment by Anthony Ferrara [ 29/Apr/11 ]

Also note that prepared statements in PDO will suffer the same bug since PDO always emulates prepared statements for the mysql driver (even though it fully supports them in the source). See: http://bugs.php.net/bug.php?id=54638

Comment by Benjamin Eberlei [ 14/May/11 ]

Fixed, updated the docs





Generated at Sat Nov 29 07:41:18 UTC 2014 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.