php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16895 Bad char encoding
Submitted: 2002-04-29 03:45 UTC Modified: 2002-07-28 06:55 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: benoit dot sibaud at rd dot francetelecom dot com Assigned: yohgaki (profile)
Status: Wont fix Package: PostgreSQL related
PHP Version: 4.1.2 OS: GNU/Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: benoit dot sibaud at rd dot francetelecom dot com
New email:
PHP Version: OS:

 

 [2002-04-29 03:45 UTC] benoit dot sibaud at rd dot francetelecom dot com 
Cf http://lists.debian.org/debian-security/2002/debian-security-200204/msg00328.html

A bad char encoding between PHP and PostgreSQL (don't know which is guilty here), followed by a bug in SQL queries in PostgreSQL can lead to execute any SQL request.

Sample code here:

%<----------------------------------------
   $conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
                    . " user=" . BASE_USER);
   $var="?\'; BAD REQUEST";
   pg_exec($conn, "SET client_encoding = 'LATIN1'");
   $request = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";
%<----------------------------------------

See Debian-security archive for more details. Already tested on a Debian Woody with PHP-cgi 4.1.2 (+php4-pgsql+php4-pear).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 20:28 UTC] yohgaki@php.net 
Just a comment.
Those who are concerned about this problem, upgrade your PostgreSQL to 7.2.1 or later.
 [2002-07-28 06:55 UTC] yohgaki@php.net 
Since this behavior occurs in libpq (PostgreSQL provided C programming interface), there is nothing much we can do that. 

Please update your PostgreSQL sever to 7.2.1 or later.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue May 13 12:01:27 2025 UTC