php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63419 PDO::quote for SQLite truncates strings on \0
Submitted: 2012-11-02 11:06 UTC Modified: 2014-12-30 10:41 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:-1 (-20.0%)
From: daniel dot kinzler at wikimedia dot de Assigned:
Status: No Feedback Package: PDO related
PHP Version: 5.3.18 OS: Ubuntu 11.10
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-11-02 11:06 UTC] daniel dot kinzler at wikimedia dot de
Description:
------------
PDO::quote for SQLite is not binary safe, it silently truncates strings on \0. Either, \0 should be supported, or the method should trigger a warning if \0 is found and return false.

Note that the same problem exists with SQLite3::escapeString, see Bug 62361. In that report, someone pointed to SQLite's mprintf as the culprit <http://www.sqlite.org/c3ref/mprintf.html>. From mprintf's documentation:

"The %q option works like %s in that it substitutes a nul-terminated string from the argument list."

It operates on null-terminated strings, so null must not be present in strings. PDO needs to work around this fact.

Test script:
---------------
<?php

// This contains ASCII 0x00 aka \0
$data = "x\0y";

$pdo = new PDO( "sqlite:test", '', '', array( PDO::ATTR_PERSISTENT => false ) );
print "PDO/SQLite: " . bin2hex( $pdo->quote( $data ) ) . "\n";


Expected result:
----------------
Raw: 'xy'
Hex: 2778007827

Note that the 'xy' above is intended to contain an invisible null character.
Alternatively, the hex representation could be used:

Raw: x'2778007827'.

That would probably be the safest option, and should Just Work with existing code.


Actual result:
--------------
Raw: 'x'
Hex: 277827


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-11-02 11:16 UTC] daniel dot kinzler at wikimedia dot de
Sorry, here's the correct version of the test script:

<?php

// This contains ASCII 0x00 aka \0
$data = "x\0y";

$pdo = new PDO( "sqlite:test", '', '', array( PDO::ATTR_PERSISTENT => false ) );
$result = $pdo->quote( $data );


print "Raw: " . $result . "\n";
print "Hex: " . bin2hex( $result ) . "\n";
 [2012-11-02 11:30 UTC] daniel dot kinzler at wikimedia dot de
I'd like to add some information about my use case for this. I was storing serialized PHP objects in the database. Serialized PHP objects seem to use NUL (\0) to mark protected and private fields. Trying to store such a string into SQLite would truncate it, effectively rendering the serialized data unusable.

Now, why the hell does PHP use \0 in the serialized representation of objects?! Serializations should be robust and designed with interoperability in mind! Oh well, I guess that's a rant for another time.
 [2013-10-24 07:28 UTC] yohgaki@php.net
-Status: Open +Status: Feedback
 [2013-10-24 07:28 UTC] yohgaki@php.net
I'm not sure if this change is usable or not.

SQLite3 does not have quote feature. It only has prepared query type API. Even if I change quote method, it may not work.

Are you sure quote works with null byte escapes? If I were sqlite3 developer, I just don't care escaped chars, etc, in a SQL string since there should not be such chars in SQL query definition strings.

If you find out it works, this behavior may be fixed.
 [2013-10-24 07:30 UTC] yohgaki@php.net
FYI

quoting is done by PHP, not SQLite, since there is no such API in SQLite3.
 [2014-12-30 10:41 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-04-02 20:38 UTC] me at evertpot dot com
I just noticed the same here with prepared statements. I'm trying to store a serialized PHP object that contains a 0x00 value. The value gets truncated without warning.
 [2015-04-02 20:58 UTC] me at evertpot dot com
Correction: the value is stored, but not correctly displayed in the sqlite3 command line tool. Ignore my last comment.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 15:01:48 2019 UTC