php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75978 Improper parsing
Submitted: 2018-02-18 19:49 UTC Modified: 2018-02-20 02:39 UTC
From: fwilliams22 at gmail dot com Assigned: peehaa (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Windows/Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fwilliams22 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-02-18 19:49 UTC] fwilliams22 at gmail dot com
Description:
------------
"CVS" string processing fails to properly parse " (quote) delimited fields.
delimited fields containing an ' (apostrophe) fail to parse correctly.  Appears that parser recognizes an embedded apostrophe as a field delimiter.

My workaround is:

while (($data = fgets($handle, 500))) {
	$data = str_replace("'","\\'",$data);				
        $data = str_getcsv($data, ",",'"');
	$query = "INSERT INTO `address` 
           (`fname`,`lname`,`address`,`city`,`state`," .
	   "`postcode`,`aux`)".
           " VALUES '$data[0]','$data[1]','$data[2]','$data[3]'," .
           "'$data[4]','$data[5]','$data[6]');";
	$result = $db->exec($query);

Not all test cases seem to fail.  I have had to use the above workaround to update a MySQL table.  The below example test script seems to have worked leaving "\\'" in the test field?

Anyhow that's my story and I'm sticking to it.

Could be the issue is in the PDO MySQL driver?

One of 'em needs more testing.



Test script:
---------------
$data = "\"Got'ta apostrophe you can spare?\"";
$data = str_replace("'","\\'",$data);				
$data = str_getcsv($data, ",",'"');



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-18 20:00 UTC] peehaa@php.net
-Status: Open +Status: Feedback
 [2018-02-18 20:00 UTC] peehaa@php.net
It's a bit hard to understand what the problem is reporting, but by the looks of it it's just an SQL injection by yourself?

Use prepared statements so you don't have these problems.
 [2018-02-18 20:01 UTC] peehaa@php.net
> "CVS" string processing fails to properly parse " (quote) delimited fields.

Works fine: https://3v4l.org/uEUO0
 [2018-02-18 20:24 UTC] spam2 at rhsoft dot net
hell, learn about value escaping which are basics when you deal with databases

every non hardcoded input is untrusted and bad until the opposite is prove3
 [2018-02-20 02:39 UTC] peehaa@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: peehaa
 [2018-02-20 02:39 UTC] peehaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 11:01:30 2024 UTC