php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16895 Bad char encoding
Submitted: 2002-04-29 03:45 UTC Modified: 2002-07-28 06:55 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: benoit dot sibaud at rd dot francetelecom dot com Assigned: yohgaki (profile)
Status: Wont fix Package: PostgreSQL related
PHP Version: 4.1.2 OS: GNU/Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
29 + 46 = ?
Subscribe to this entry?

 
 [2002-04-29 03:45 UTC] benoit dot sibaud at rd dot francetelecom dot com 
Cf http://lists.debian.org/debian-security/2002/debian-security-200204/msg00328.html

A bad char encoding between PHP and PostgreSQL (don't know which is guilty here), followed by a bug in SQL queries in PostgreSQL can lead to execute any SQL request.

Sample code here:

%<----------------------------------------
   $conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
                    . " user=" . BASE_USER);
   $var="?\'; BAD REQUEST";
   pg_exec($conn, "SET client_encoding = 'LATIN1'");
   $request = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";
%<----------------------------------------

See Debian-security archive for more details. Already tested on a Debian Woody with PHP-cgi 4.1.2 (+php4-pgsql+php4-pear).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 20:28 UTC] yohgaki@php.net 
Just a comment.
Those who are concerned about this problem, upgrade your PostgreSQL to 7.2.1 or later.
 [2002-07-28 06:55 UTC] yohgaki@php.net 
Since this behavior occurs in libpq (PostgreSQL provided C programming interface), there is nothing much we can do that. 

Please update your PostgreSQL sever to 7.2.1 or later.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 15:01:32 2024 UTC