php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41125 PDO mysql + quote() + prepare() can result in seg fault
Submitted: 2007-04-17 20:34 UTC Modified: 2008-10-10 12:19 UTC
Votes:6
Avg. Score:4.7 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:0 (0.0%)
From: ed at bronto dot com Assigned: felipe (profile)
Status: Closed Package: PDO related
PHP Version: 5.2.1 OS: Centos
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ed at bronto dot com
New email:
PHP Version: OS:

 

 [2007-04-17 20:34 UTC] ed at bronto dot com
Description:
------------
Using PDO->quote on a portion of a query to be prepared will result in a seg fault if:

- there is a bound parameter after the quoted value
- emulated prepares is on (1)
- mysql

If emulated prepares is off (0), the query fails.  This should also be considered a bug.

Reproduce code:
---------------
//test.php

//the mysql table first: create table ed (id int not null, name varchar(255) not null);

$db = new PDO('mysql:host=' . HOST . ';dbname=' . NAME, USERNAME, PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);

$search = "o'riley";

$values = array();
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%');
$sth = $db->prepare($sql);
$sth->execute($values);
echo("here\n");

$values = array('id' => 1233434);
$sql = "select id from ed where name like " . $db->quote('%' . $search . '%') . " and id = :id";
$sth = $db->prepare($sql);
$sth->execute($values);
echo("there\n");


Expected result:
----------------
No errors should occur.

Should print "here\nthere\n".

Actual result:
--------------
[ed@a_machine]$ php test.php
here
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-17 20:36 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2007-04-25 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-05-23 19:48 UTC] afranco at middlebury dot edu
I have the same issue as this bug and am posting here rather than opening a new bug report. I found that the issue is not reliant on usage of quote(), but rather the presence of escaped quotes in the SQL query string.

Tested on PHP 5.2CVS-2008-05-23(Snap)

Reproduce code:
---------------
The following URL has several extended test scripts and source, as well as the MySQL table definition/data to reproduce this bug:

http://slug.middlebury.edu/~afranco/PHP_PDO_segfault/


Expected result:
----------------
No errors should occur.


Actual result:
--------------
Here is the backtrace from running my segfault_test_short.php script:

Program received signal SIGSEGV, Segmentation fault.

#0  0x4020540c in memcpy () from /lib/tls/libc.so.6
#1  0x40cd543b in pdo_parse_params (stmt=0x8326320, 
    inquery=0x83264ac "SELECT * \nFROM \n\t`az2_explicit_az` \nWHERE \n\t`fk_agent` IN ('Tim O\\'Brien - abcdefghijklmnopqrstuvwxyzabc')\n\t AND `fk_qualifier`=?", inquery_len=129, outquery=0x832636c, outquery_len=0x8326370)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_sql_parser.c:502
#2  0x40ccee0c in zim_PDOStatement_execute (ht=0, return_value=0x8326710, return_value_ptr=0x0, this_ptr=0x8325cb8, return_value_used=0)
    at /usr/local/src/php5.2-200805231430/ext/pdo/pdo_stmt.c:482
#3  0x40ea7c5b in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb730) at zend_vm_execute.h:200
#4  0x40ea81a7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfffb730) at zend_vm_execute.h:322
#5  0x40ea786e in execute (op_array=0x83242ec) at zend_vm_execute.h:92
#6  0x40e87c08 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php5.2-200805231430/Zend/zend.c:1134
#7  0x40e3fb0e in php_execute_script (primary_file=0xbfffda40) at /usr/local/src/php5.2-200805231430/main/main.c:2005
#8  0x40eef991 in apache_php_module_main (r=0x8522648, display_source_mode=0)
    at /usr/local/src/php5.2-200805231430/sapi/apache/sapi_apache.c:53
#9  0x40ef06fc in send_php (r=0x8522648, display_source_mode=0, filename=0x85243b0 "")
    at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:664
#10 0x40ef0747 in send_parsed_php (r=0x8522648) at /usr/local/src/php5.2-200805231430/sapi/apache/mod_php5.c:679
#11 0x08057b67 in ap_invoke_handler ()
#12 0x0806a501 in process_request_internal ()
#13 0x0806a700 in ap_process_request ()
#14 0x08060a3b in child_main ()
#15 0x08060dd6 in make_child ()
#16 0x08060f0a in startup_children ()
#17 0x0806257c in standalone_main ()
#18 0x080638b2 in main ()
 [2008-05-23 20:00 UTC] ed at bronto dot com
reopened due to backtrace
 [2008-07-03 17:36 UTC] uw@php.net
This bug still exists in PHP 5_3. Its as simple as this to crash PDO:

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$db->query("SELECT 1 FROM DUAL WHERE 'test' LIKE '\'' AND 0 > :id");

==20117== Invalid read of size 1
==20117==    at 0x4A21EF8: memcpy (mc_replace_strmem.c:402)
==20117==    by 0x4E3475: pdo_parse_params (pdo_sql_parser.re:291)
==20117==    by 0x4DB205: zim_PDOStatement_execute (pdo_stmt.c:482)
==20117==    by 0x7858AD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313)
==20117==    by 0x786638: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:422)
==20117==    by 0x784AF9: execute (zend_vm_execute.h:104)
==20117==    by 0x758DF9: zend_execute_scripts (zend.c:1198)
==20117==    by 0x6E5D5E: php_execute_script (main.c:2082)
==20117==    by 0x7F6986: main (php_cli.c:1139)

 [2008-07-03 17:52 UTC] uw@php.net
Grr, I need a break - same pattern but should not cause any parse errors etc.

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, 1);
$sql = "SELECT 1, 2 FROM DUAL WHERE 'test' LIKE 'O\'chaos' AND :id";
$stmt = $db->prepare($sql);
$id = 0;
$stmt->bindParam(':id', $id);
$stmt->execute();

 [2008-10-09 11:45 UTC] felipe@php.net
There is two problem here:
- Unclosed quotes isn't handled correctly
- The escape support was removed
 [2008-10-10 12:19 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC