[DBAL-164] Quoting allows SQL injections Created: 10/Sep/11  Updated: 25/Sep/11  Resolved: 13/Sep/11

Status: Resolved
Project: Doctrine DBAL
Component/s: Drivers
Affects Version/s: 2.1.2
Fix Version/s: 2.0.9, 2.1.3
Security Level: All

Type: Bug Priority: Major
Reporter: Oliver Mueller Assignee: Guilherme Blanco
Resolution: Fixed Votes: 0
Labels: None
Environment:

OCI8 Driver
IBMDB" Driver


 Description   

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

 Comments   
Comment by Guilherme Blanco [ 13/Sep/11 ]

Fixed in https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8

Comment by Benjamin Eberlei [ 25/Sep/11 ]

Backported to 2.0.9

Comment by Benjamin Eberlei [ 25/Sep/11 ]

Fix was modified to use the Zend Framework code for quoting OCI input: https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.




Generated at Sun May 19 05:06:09 UTC 2013 using JIRA 5.2.7#850-sha1:b2af0c8dc8537b36121c6a579fabbdf79fc919e5.