http://www.doctrine-project.org/jira/secure/IssueNavigator.jspa?reset=true&jqlQuery=project+%3D+DBAL+AND+fixVersion+%3D+%222.0.9%22+ORDER+BY+updated+DESC%2C+priority+DESC%2C+created+ASC An XML representation of a search request en-us 5.2.7 850 21-02-2013 http://www.doctrine-project.org/jira/browse/DBAL-164 Doctrine DBAL <p>$test = "foo ' bar";<br/> $quoted = $conn-&gt;quote( $test );<br/> echo $quoted;</p> <p>RESULT: 'foo ' bar'<br/> EXPECTED: 'foo \' bar'</p> OCI8 Driver<br/> IBMDB&quot; Driver<br/> DBAL-164

Quoting allows SQL injections

Bug Major Resolved Fixed All Guilherme Blanco Oliver Mueller Sat, 10 Sep 2011 14:31:21 +0000 Sun, 25 Sep 2011 19:07:47 +0000 Tue, 13 Sep 2011 04:51:19 +0000 2.1.2 2.0.9 2.1.3 Drivers 0 0 <p>Fixed in <a href="https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8" class="external-link">https://github.com/doctrine/dbal/commit/82cc921447fde697bf3d9f5285d0f0b8587303d8</a></p> <p>Backported to 2.0.9</p> <p>Fix was modified to use the Zend Framework code for quoting OCI input: <a href="https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7" class="external-link">https://github.com/doctrine/dbal/commit/97638edc0fef0e08ce7db631eb130fde950844d7</a></p> <p>This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.</p>