|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16895 Bad char encoding
Submitted: 2002-04-29 03:45 UTC Modified: 2002-07-28 06:55 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: benoit dot sibaud at rd dot francetelecom dot com Assigned: yohgaki (profile)
Status: Wont fix Package: PostgreSQL related
PHP Version: 4.1.2 OS: GNU/Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: benoit dot sibaud at rd dot francetelecom dot com
New email:
PHP Version: OS:


 [2002-04-29 03:45 UTC] benoit dot sibaud at rd dot francetelecom dot com

A bad char encoding between PHP and PostgreSQL (don't know which is guilty here), followed by a bug in SQL queries in PostgreSQL can lead to execute any SQL request.

Sample code here:

   $conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
                    . " user=" . BASE_USER);
   $var="?\'; BAD REQUEST";
   pg_exec($conn, "SET client_encoding = 'LATIN1'");
   $request = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";

See Debian-security archive for more details. Already tested on a Debian Woody with PHP-cgi 4.1.2 (+php4-pgsql+php4-pear).


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 20:28 UTC]
Just a comment.
Those who are concerned about this problem, upgrade your PostgreSQL to 7.2.1 or later.

 [2002-07-28 06:55 UTC]
Since this behavior occurs in libpq (PostgreSQL provided C programming interface), there is nothing much we can do that. 

Please update your PostgreSQL sever to 7.2.1 or later.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Sep 25 04:03:37 2021 UTC