php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #68856 add arg to odbc_execute() so values not treated as filenames
Submitted: 2015-01-19 13:04 UTC Modified: 2020-10-05 13:02 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j dot faithw at yahoo dot com Assigned:
Status: Verified Package: ODBC related
PHP Version: 5.6.4 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: j dot faithw at yahoo dot com
New email:
PHP Version: OS:

 

 [2015-01-19 13:04 UTC] j dot faithw at yahoo dot com 
Description:
------------
currently odbc_execute is declared as:-
  bool odbc_execute ( resource $result_id [, array $parameters_array ] )

But parameters_array has a quirk i.e:-
    Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

I suggest that an additional argument be added i.e.
  bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] )

By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename.

This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-05 13:02 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-10-05 13:02 UTC] cmb@php.net 
I agree that this "feature" raises potential security concerns.
The suggested solution to add an optional $filenames parameter
might be a viable workaround for now, but in the long run
parameters enclosed in single-quotes should not be treated as
filenames at all, but rather that should be catered to by special
objects, similar to what has been done for CURLOPT_POSTFIELDS by
introducing the CURLFile class.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 12:01:29 2024 UTC