PHP :: Bug #54674 :: mysqlnd valid_sjis_(head|tail) is using invalid operator and range.

Bug #54674	mysqlnd valid_sjis_(head\|tail) is using invalid operator and range.
Submitted:	2011-05-06 11:54 UTC	Modified:	2011-05-10 09:15 UTC
From:	nihen at megabbs dot com	Assigned:	mysql (profile)
Status:	Closed	Package:	PDO related
PHP Version:	5.3.6	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nihen at megabbs dot com
New email:
PHP Version:		OS:

New Comment:

[2011-05-06 11:54 UTC] nihen at megabbs dot com

Description:
------------
impacts to:
1. mysqli->real_escape_string
2. use PDO at PDO::ATTR_EMULATE_PREPARES = true

"real_escape_string" must not escape multi-byte character.
but escape it.

This bug is a SQL-injection may cause.

Test script:
---------------
<?php
$japanese_so = pack('H4', '835c');

$mysql = mysqli_connect('localhost', 'sandbox', 'sandbox');
$mysql->set_charset('sjis');
echo $mysql->real_escape_string($japanese_so) === $japanese_so ? 'ok' : 'ng';
echo "\n";


Expected result:
----------------
echo "ok\n"

Actual result:
--------------
echo "ng\n"

Patches

mysqlnd_charset_fix_sjis.patch (last revision 2011-05-06 09:54 UTC by nihen at megabbs dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-05-06 12:11 UTC] nihen at megabbs dot com

Original report by Hiroshi Tokumaru.
http://www.tokumaru.org/d/20110322.html#p01
http://www.tokumaru.org/d/20110329.html#p01
(lang:japanese)

[2011-05-09 17:50 UTC] uw@php.net

-Assigned To: +Assigned To: mysql

[2011-05-09 18:20 UTC] andrey@php.net

Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310856
Log: Fix for bug 54674..typo in the check of SJIS

[2011-05-09 18:24 UTC] andrey@php.net

-Status: Assigned +Status: Closed

[2011-05-09 18:24 UTC] andrey@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the report!

[2011-05-10 05:31 UTC] nihen at megabbs dot com

-Status: Closed +Status: Assigned

[2011-05-10 05:31 UTC] nihen at megabbs dot com

Thank you for "operator" fix.
but, it does not fix invalid "range".

> #define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <= (c) && 
(c) <= 0x7C))

to

#define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <= (c) && (c) 
<= 0xFC))

is correct.
s/7C/FC/

[2011-05-10 09:15 UTC] andrey@php.net

-Status: Assigned +Status: Closed

[2011-05-10 09:15 UTC] andrey@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Range fixed in SVN. Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC