php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54674 mysqlnd valid_sjis_(head|tail) is using invalid operator and range.
Submitted: 2011-05-06 11:54 UTC Modified: 2011-05-10 09:15 UTC
From: nihen at megabbs dot com Assigned: mysql
Status: Closed Package: PDO related
PHP Version: 5.3.6 OS: All
Private report: No CVE-ID:
 [2011-05-06 11:54 UTC] nihen at megabbs dot com
Description:
------------
impacts to:
1. mysqli->real_escape_string
2. use PDO at PDO::ATTR_EMULATE_PREPARES = true

"real_escape_string" must not escape multi-byte character.
but escape it.

This bug is a SQL-injection may cause.

Test script:
---------------
<?php
$japanese_so = pack('H4', '835c');

$mysql = mysqli_connect('localhost', 'sandbox', 'sandbox');
$mysql->set_charset('sjis');
echo $mysql->real_escape_string($japanese_so) === $japanese_so ? 'ok' : 'ng';
echo "\n";


Expected result:
----------------
echo "ok\n"

Actual result:
--------------
echo "ng\n"

Patches

mysqlnd_charset_fix_sjis.patch (last revision 2011-05-06 09:54 UTC) by nihen at megabbs dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-06 12:11 UTC] nihen at megabbs dot com
Original report by Hiroshi Tokumaru.
http://www.tokumaru.org/d/20110322.html#p01
http://www.tokumaru.org/d/20110329.html#p01
(lang:japanese)
 [2011-05-09 17:50 UTC] uw@php.net
-Assigned To: +Assigned To: mysql
 [2011-05-09 18:20 UTC] andrey@php.net
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310856
Log: Fix for bug 54674..typo in the check of SJIS
 [2011-05-09 18:24 UTC] andrey@php.net
-Status: Assigned +Status: Closed
 [2011-05-09 18:24 UTC] andrey@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the report!
 [2011-05-10 05:31 UTC] nihen at megabbs dot com
-Status: Closed +Status: Assigned
 [2011-05-10 05:31 UTC] nihen at megabbs dot com
Thank you for "operator" fix.
but, it does not fix invalid "range".

> #define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <= (c) && 
(c) <= 0x7C))

to

#define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <= (c) && (c) 
<= 0xFC))

is correct.
s/7C/FC/
 [2011-05-10 09:15 UTC] andrey@php.net
-Status: Assigned +Status: Closed
 [2011-05-10 09:15 UTC] andrey@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Range fixed in SVN. Thanks!
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC