PHP :: Bug #41125 :: PDO mysql + quote() + prepare() can result in seg fault

Bug #41125

PDO mysql + quote() + prepare() can result in seg fault

Submitted:

2007-04-17 20:34 UTC

Modified:

2008-10-10 12:19 UTC

Votes:	6
Avg. Score:	4.7 ± 0.7
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	0 (0.0%)

From:

ed at bronto dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

PDO related

PHP Version:

5.2.1

OS:

Centos

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ed at bronto dot com
New email:
PHP Version:		OS:

New Comment:

[2007-04-17 20:34 UTC] ed at bronto dot com

Description:
------------
Using PDO->quote on a portion of a query to be prepared will result in a seg fault if:

- there is a bound parameter after the quoted value
- emulated prepares is on (1)
- mysql

If emulated prepares is off (0), the query fails.  This should also be considered a bug.

Reproduce code:
---------------
//test.php

//the mysql table first: create table ed (id int not null, name varchar(255) not null);

$db = new PDO('mysql:host=' . HOST . ';dbname=' . NAME, USERNAME, PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);

$search = "o'riley";

$values = array();
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%');
$sth = $db->prepare($sql);
$sth->execute($values);
echo("here\n");

$values = array('id' => 1233434);
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%') . " and id = :id";
$sth = $db->prepare($sql);
$sth->execute($values);
echo("there\n");


Expected result:
----------------
No errors should occur.

Should print "here\nthere\n".

Actual result:
--------------
[ed@a_machine]$ php test.php
here
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-17 20:36 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-04-25 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-05-23 19:48 UTC] afranco at middlebury dot edu

I have the same issue as this bug and am posting here rather than opening a new bug report. I found that the issue is not reliant on usage of quote(), but rather the presence of escaped quotes in the SQL query string.

Tested on PHP 5.2CVS-2008-05-23(Snap)

Reproduce code:
---------------
The following URL has several extended test scripts and source, as well as the MySQL table definition/data to reproduce this bug:

http://slug.middlebury.edu/~afranco/PHP_PDO_segfault/


Expected result:
----------------
No errors should occur.


Actual result:
--------------
Here is the backtrace from running my segfault_test_short.php script:

Program received signal SIGSEGV, Segmentation fault.

#0  0x4020540c in memcpy () from /lib/tls/libc.so.6
#1  0x40cd543b in pdo_parse_params (stmt=0x8326320, 
    inquery=0x83264ac "SELECT * \nFROM \n\t`az2_explicit_az` \nWHERE \n\t`fk_agent` IN ('Tim O\\'Brien - abcdefghijklmnopqrstuvwxyzabc')\n\t AND `fk_qualifier`=?", inquery_len=129, outquery=0x832636c, outquery_len=0x8326370)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_sql_parser.c:502
#2  0x40ccee0c in zim_PDOStatement_execute (ht=0, return_value=0x8326710, return_value_ptr=0x0, this_ptr=0x8325cb8, return_value_used=0)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_stmt.c:482
#3  0x40ea7c5b in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb730) at zend_vm_execute.h:200
#4  0x40ea81a7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfffb730) at zend_vm_execute.h:322
#5  0x40ea786e in execute (op_array=0x83242ec) at zend_vm_execute.h:92
#6  0x40e87c08 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php5.2-200805231430/Zend/zend.c:1134
#7  0x40e3fb0e in php_execute_script (primary_file=0xbfffda40) at /usr/local/src/php5.2-200805231430/main/main.c:2005
#8  0x40eef991 in apache_php_module_main (r=0x8522648, display_source_mode=0)
    at /usr/local/src/php5.2-200805231430/sapi/apache/sapi_apache.c:53
#9  0x40ef06fc in send_php (r=0x8522648, display_source_mode=0, filename=0x85243b0 "")
    at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:664
#10 0x40ef0747 in send_parsed_php (r=0x8522648) at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:679
#11 0x08057b67 in ap_invoke_handler ()
#12 0x0806a501 in process_request_internal ()
#13 0x0806a700 in ap_process_request ()
#14 0x08060a3b in child_main ()
#15 0x08060dd6 in make_child ()
#16 0x08060f0a in startup_children ()
#17 0x0806257c in standalone_main ()
#18 0x080638b2 in main ()

[2008-05-23 20:00 UTC] ed at bronto dot com

reopened due to backtrace

[2008-07-03 17:36 UTC] uw@php.net

This bug still exists in PHP 5_3. Its as simple as this to crash PDO:

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$db->query("SELECT 1 FROM DUAL WHERE 'test' LIKE '\'' AND 0 > :id");

==20117== Invalid read of size 1
==20117==    at 0x4A21EF8: memcpy (mc_replace_strmem.c:402)
==20117==    by 0x4E3475: pdo_parse_params (pdo_sql_parser.re:291)
==20117==    by 0x4DB205: zim_PDOStatement_execute (pdo_stmt.c:482)
==20117==    by 0x7858AD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313)
==20117==    by 0x786638: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:422)
==20117==    by 0x784AF9: execute (zend_vm_execute.h:104)
==20117==    by 0x758DF9: zend_execute_scripts (zend.c:1198)
==20117==    by 0x6E5D5E: php_execute_script (main.c:2082)
==20117==    by 0x7F6986: main (php_cli.c:1139)

[2008-07-03 17:52 UTC] uw@php.net

Grr, I need a break - same pattern but should not cause any parse errors etc.

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$sql = "SELECT 1, 2 FROM DUAL WHERE 'test' LIKE 'O\'chaos' AND :id";
$stmt = $db->prepare($sql);
$id = 0;
$stmt->bindParam(':id', $id);
$stmt->execute();

[2008-10-09 11:45 UTC] felipe@php.net

There is two problem here:
- Unclosed quotes isn't handled correctly
- The escape support was removed

[2008-10-10 12:19 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

[2020-02-15 15:23 UTC] cmb@php.net

Related To: Bug #79276

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Sep 21 00:01:27 2024 UTC