Doctrine Project

[DBAL-121] Mapping, decimal returns float.

Sat, 14 May 2011 10:23:46 +0000

I have a Doctrine 2 entity and the value is mapped like this (with regular getter/setter):

 
/**
 * @Column(type="decimal", precision=40, scale=30)
 */
protected $someValue;

/**
 * @return decimal
 */
public function getSomeValue()
{
    return $this->someValue;
}

/**
 * @param decimal $someValue
 */
public function setSomeValue($someValue)
{
    $this->someValue = $someValue;
}

When I set that value from my code, the value gets written into the database correctly. But, and that is my problem, when I get the value (via getter or \Doctrine\Common\Util\Debug::dump()), it always gives me a number with maximum 14 digits, and it rounds the value. I read the record with the default findById().

eg: with value 1234567890.012345678901234567890123456789 I have 1234567890.0123
eg: with value 890.0123456789012345678901234567890123456 I have 890.01234567890

I of course want all digits, not just 14. The field in MySQL is declared like this:

 
    someValue decimal(40,30) NOT NULL,

When I get the value with raw PHP and mysql_query(), it returns correctly.

It seems like the problem is that Doctrine returns a float: ["someValue":protected]=> float(234567890.01235)

What's wrong, what should I check next, how to fix, any clues?
(also posted on http://stackoverflow.com/questions/5635500/doctrine-2-decimal-can-only-contain-14-digits)

[DBAL-111] MySQL Driver possibly subject to sql injections with PDO::quote()

Sat, 14 May 2011 07:24:48 +0000

Prior to 5.3.6, the MySQL PDO driver ignored the character set parameter to options. Due to MySQL's C api (and MySQLND), this is required for the proper function of mysql_real_escape_string() (the C API call). Since PDO uses the mres() C call for PDO::quote(), this means that the quoted string does not take into account the connection character set.

Starting with 5.3.6, that was fixed. So now if you pass the proper character set to PDO via driver options, sql injection is impossible while using the PDO::quote() api call.

PDO proof of concept

$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK;';
$pdo = new PDO($dsn, $user, $pass);
$pdo->exec('SET NAMES GBK');
$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
$sql = "SELECT TABLE_NAME
            FROM INFORMATION_SCHEMA.TABLES
            WHERE TABLE_NAME LIKE ".$pdo->quote($string)." LIMIT 1;";
$stmt = $pdo->query($sql);
var_dump($stmt->rowCount());

Expected Result: `int(0)`.
Actual Result: `int(1)`.

There are 2 issues to fix. First, the documentation does not indicate that you can pass the `charset` option to the MySQL Driver. This should be fixed so that users are given the proper option to set character sets.

Secondly, `Connection::setCharset()` should be modified for MySQL to throw an exception, since the character set is only safely setable using the DSN with PDO. This is a limitation of the driver and could be asked as a feature request for the PHP core. Either that, or a big warning should be put on the documentation of the API to indicate the unsafe character set change

[DBAL-119] Outdated Console component

Sat, 14 May 2011 06:26:41 +0000

The DBAL submodule uses an outdated version of the Console component (before the switch to private properties). But the Migrations project defines its command using the latest interface which means that it cannot be used with the DBAL out-of-the-box as it calls the getApplication method which does not exist in the old version of the component.

[DBAL-118] When speaking about security do not rely on default link in mysql_* function calls

Sat, 14 May 2011 06:20:30 +0000

The documentation about escaping reads:

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:

<?php
$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id) . "'";
$rs = mysql_query($sql);",
http://www.doctrine-project.org/docs/dbal/2.0/en/reference/data-retrieval-and-manipulation.html

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

"string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )",
http://de.php.net/mysql_real_escape_string

Please, change the example:

<?php
$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id, $link) . "'";
$rs = mysql_query($sql);",

($link added)

Thanks!