|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68856 add arg to odbc_execute() so values not treated as filenames
Submitted: 2015-01-19 13:04 UTC Modified: 2020-10-05 13:02 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j dot faithw at yahoo dot com Assigned:
Status: Verified Package: ODBC related
PHP Version: 5.6.4 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
39 - 13 = ?
Subscribe to this entry?

 [2015-01-19 13:04 UTC] j dot faithw at yahoo dot com
currently odbc_execute is declared as:-
  bool odbc_execute ( resource $result_id [, array $parameters_array ] )

But parameters_array has a quirk i.e:-
    Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.

I suggest that an additional argument be added i.e.
  bool odbc_execute ( resource $result_id [, array $parameters_array [, mixed $filenames = true ]] )

By default $filenames would be true and the existing functionality will be unchanged. But if false the values in $parameters_array will never be interpreted as filenames. Also $filenames could be an array of true/false values specifying for each element of $parameters_array if the value should be interpreted as a filename.

This change would allow odbc_prepare and odbc_execute to be used more often, in particular to help protect against SQL injection attacks which odbc_exec is prone to.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-05 13:02 UTC]
-Status: Open +Status: Verified
 [2020-10-05 13:02 UTC]
I agree that this "feature" raises potential security concerns.
The suggested solution to add an optional $filenames parameter
might be a viable workaround for now, but in the long run
parameters enclosed in single-quotes should not be treated as
filenames at all, but rather that should be catered to by special
objects, similar to what has been done for CURLOPT_POSTFIELDS by
introducing the CURLFile class.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 11:01:27 2024 UTC