PHP :: Bug #41125 :: PDO mysql + quote() + prepare() can result in seg fault

Bug #41125

PDO mysql + quote() + prepare() can result in seg fault

Submitted:

2007-04-17 20:34 UTC

Modified:

2008-10-10 12:19 UTC

Votes:	6
Avg. Score:	4.7 ± 0.7
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	0 (0.0%)

From:

ed at bronto dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

PDO related

PHP Version:

5.2.1

OS:

Centos

Private report:

CVE-ID:

None

View Developer Edit

[2007-04-17 20:34 UTC] ed at bronto dot com

Description:
------------
Using PDO->quote on a portion of a query to be prepared will result in a seg fault if:

- there is a bound parameter after the quoted value
- emulated prepares is on (1)
- mysql

If emulated prepares is off (0), the query fails.  This should also be considered a bug.

Reproduce code:
---------------
//test.php

//the mysql table first: create table ed (id int not null, name varchar(255) not null);

$db = new PDO('mysql:host=' . HOST . ';dbname=' . NAME, USERNAME, PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);

$search = "o'riley";

$values = array();
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%');
$sth = $db->prepare($sql);
$sth->execute($values);
echo("here\n");

$values = array('id' => 1233434);
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%') . " and id = :id";
$sth = $db->prepare($sql);
$sth->execute($values);
echo("there\n");


Expected result:
----------------
No errors should occur.

Should print "here\nthere\n".

Actual result:
--------------
[ed@a_machine]$ php test.php
here
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-17 20:36 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-04-25 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-05-23 19:48 UTC] afranco at middlebury dot edu

I have the same issue as this bug and am posting here rather than opening a new bug report. I found that the issue is not reliant on usage of quote(), but rather the presence of escaped quotes in the SQL query string.

Tested on PHP 5.2CVS-2008-05-23(Snap)

Reproduce code:
---------------
The following URL has several extended test scripts and source, as well as the MySQL table definition/data to reproduce this bug:

http://slug.middlebury.edu/~afranco/PHP_PDO_segfault/


Expected result:
----------------
No errors should occur.


Actual result:
--------------
Here is the backtrace from running my segfault_test_short.php script:

Program received signal SIGSEGV, Segmentation fault.

#0  0x4020540c in memcpy () from /lib/tls/libc.so.6
#1  0x40cd543b in pdo_parse_params (stmt=0x8326320, 
    inquery=0x83264ac "SELECT * \nFROM \n\t`az2_explicit_az` \nWHERE \n\t`fk_agent` IN ('Tim O\\'Brien - abcdefghijklmnopqrstuvwxyzabc')\n\t AND `fk_qualifier`=?", inquery_len=129, outquery=0x832636c, outquery_len=0x8326370)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_sql_parser.c:502
#2  0x40ccee0c in zim_PDOStatement_execute (ht=0, return_value=0x8326710, return_value_ptr=0x0, this_ptr=0x8325cb8, return_value_used=0)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_stmt.c:482
#3  0x40ea7c5b in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb730) at zend_vm_execute.h:200
#4  0x40ea81a7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfffb730) at zend_vm_execute.h:322
#5  0x40ea786e in execute (op_array=0x83242ec) at zend_vm_execute.h:92
#6  0x40e87c08 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php5.2-200805231430/Zend/zend.c:1134
#7  0x40e3fb0e in php_execute_script (primary_file=0xbfffda40) at /usr/local/src/php5.2-200805231430/main/main.c:2005
#8  0x40eef991 in apache_php_module_main (r=0x8522648, display_source_mode=0)
    at /usr/local/src/php5.2-200805231430/sapi/apache/sapi_apache.c:53
#9  0x40ef06fc in send_php (r=0x8522648, display_source_mode=0, filename=0x85243b0 "")
    at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:664
#10 0x40ef0747 in send_parsed_php (r=0x8522648) at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:679
#11 0x08057b67 in ap_invoke_handler ()
#12 0x0806a501 in process_request_internal ()
#13 0x0806a700 in ap_process_request ()
#14 0x08060a3b in child_main ()
#15 0x08060dd6 in make_child ()
#16 0x08060f0a in startup_children ()
#17 0x0806257c in standalone_main ()
#18 0x080638b2 in main ()

[2008-05-23 20:00 UTC] ed at bronto dot com

reopened due to backtrace

[2008-07-03 17:36 UTC] uw@php.net

This bug still exists in PHP 5_3. Its as simple as this to crash PDO:

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$db->query("SELECT 1 FROM DUAL WHERE 'test' LIKE '\'' AND 0 > :id");

==20117== Invalid read of size 1
==20117==    at 0x4A21EF8: memcpy (mc_replace_strmem.c:402)
==20117==    by 0x4E3475: pdo_parse_params (pdo_sql_parser.re:291)
==20117==    by 0x4DB205: zim_PDOStatement_execute (pdo_stmt.c:482)
==20117==    by 0x7858AD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313)
==20117==    by 0x786638: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:422)
==20117==    by 0x784AF9: execute (zend_vm_execute.h:104)
==20117==    by 0x758DF9: zend_execute_scripts (zend.c:1198)
==20117==    by 0x6E5D5E: php_execute_script (main.c:2082)
==20117==    by 0x7F6986: main (php_cli.c:1139)

[2008-07-03 17:52 UTC] uw@php.net

Grr, I need a break - same pattern but should not cause any parse errors etc.

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$sql = "SELECT 1, 2 FROM DUAL WHERE 'test' LIKE 'O\'chaos' AND :id";
$stmt = $db->prepare($sql);
$id = 0;
$stmt->bindParam(':id', $id);
$stmt->execute();

[2008-10-09 11:45 UTC] felipe@php.net

There is two problem here:
- Unclosed quotes isn't handled correctly
- The escape support was removed

[2008-10-10 12:19 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

[2020-02-15 15:23 UTC] cmb@php.net

Related To: Bug #79276

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC