php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68856 add arg to odbc_execute() so values not treated as filenames
Submitted: 2015-01-19 13:04 UTC Modified: 2020-10-05 13:02 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j dot faithw at yahoo dot com Assigned:
Status: Verified Package: ODBC related
PHP Version: 5.6.4 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: j dot faithw at yahoo dot com
New email:
PHP Version: OS:

 

 [2015-01-19 13:04 UTC] j dot faithw at yahoo dot com
Description:
------------
currently odbc_execute is declared as:-
  bool odbc_execute ( resource $result_id [, array $parameters_array ] )

But parameters_array has a quirk i.e:-
    Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

I suggest that an additional argument be added i.e.
  bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] )

By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename.

This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-05 13:02 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-10-05 13:02 UTC] cmb@php.net
I agree that this "feature" raises potential security concerns.
The suggested solution to add an optional $filenames parameter
might be a viable workaround for now, but in the long run
parameters enclosed in single-quotes should not be treated as
filenames at all, but rather that should be catered to by special
objects, similar to what has been done for CURLOPT_POSTFIELDS by
introducing the CURLFile class.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 21:01:23 2020 UTC