PHP :: Bug #77729 :: SECURITY BUG: SQL Injection with PDO::quote()

Bug #77729	SECURITY BUG: SQL Injection with PDO::quote()
Submitted:	2019-03-12 19:38 UTC	Modified:	2019-03-12 21:37 UTC
From:	bogdanteleru at yahoo dot com	Assigned:
Status:	Not a bug	Package:	PDO MySQL
PHP Version:	7.2.16	OS:	MacOS Mojave v10.14.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bogdanteleru at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2019-03-12 19:38 UTC] bogdanteleru at yahoo dot com

Description:
------------
---
From manual page: https://php.net/pdo.quote
---

Running PDO::quote() on a string which ends in a quote (e.g. Naughty ' string') will result in a string which ends in an escaped quote (e.g. 'Naughty \' string\'). This opens a door to SQL injection; see the vulnerability example in the 'Test script' box, below.

Test script:
---------------
$name = '; DROP TABLE `test_table`; --\'';

// Sample PDO connection; can be whatever
$conn = new PDO('sqlite:/home/lynn/music.sql3');

$query = "SELECT * FROM `students` WHERE `first_name` = '%s' OR `last_name` = '%s'";
$query = sprintf($query, $conn->quote($name), $conn->quote($name));

echo $query;


Expected result:
----------------
I'm expecting the PHP script to echo the following string:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\'' OR `last_name` = '; DROP TABLE `test_table`; --\''

However, as seen in the 'Actual result' box, it's missing the end quote each time $name was inserted into the query string. This happens because PDO::quote() doesn't add the end quote if the original string already ends in a quote, as explained in the 'Description' box.

Actual result:
--------------
The script will echo:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = '; DROP TABLE `test_table`; --\'

The above is basically two MySQL queries:
1. SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = ';
2. DROP TABLE `test_table`; // dangerous

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com

-Status: Open +Status: Closed

[2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com

Nevermind, there's no actual bug.

[2019-03-12 19:46 UTC] bogdanteleru at yahoo dot com

Closed

[2019-03-12 21:37 UTC] requinix@php.net

-Status: Closed +Status: Not a bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC