php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72346 mysql_query() not subject to max_execution_time()
Submitted: 2016-06-06 16:04 UTC Modified: 2016-06-07 05:50 UTC
From: maggus dot staab at googlemail dot com Assigned:
Status: Not a bug Package: MySQL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2016-06-06 16:04 UTC] maggus dot staab at googlemail dot com
Description:
------------
similar to https://bugs.php.net/bug.php?id=72345

A DOS attack vector for SQL injections uses the mysql SELECT SLEEP() command, as it will block a PHP process which is waiting for the mysql result and also one connection to the database itself.

this renders this kind of attack as very effective because you easily can bring either apache/php or mysql above its processlimits.

Additionally the mysql version distributed with ubuntu12lts and ubuntu14lts is not recent enough to contain server side timouts on a per statement basis.

Test script:
---------------
<?php
$start = time();
set_time_limit(2);


    define("DB_HOSTNAME",                    "localhost");
    define("DB_USERNAME",                    "root");
    define("DB_PASSWORD",                    "");
    define("DB_NAME",                        "mysql");

$connection_id = mysql_connect(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, false);
mysql_query('SELECT SLEEP(5)', $connection_id);

$end = time();

echo $end - $start;

Expected result:
----------------
mysql query should be interrupted after 2 seconds with a fatal error

Actual result:
--------------
no error, no timeouts triggered.

echos "5"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-06 16:26 UTC] maggus dot staab at googlemail dot com
-Package: *General Issues +Package: *Database Functions
 [2016-06-06 16:26 UTC] maggus dot staab at googlemail dot com
fixed package
 [2016-06-06 23:53 UTC] requinix@php.net
-Status: Open +Status: Not a bug -Package: *Database Functions +Package: MySQL related
 [2016-06-06 23:53 UTC] requinix@php.net
As the docs for set_time_limit() say, the time limit only measures time spent in the script itself. Database queries are not included because PHP is sleeping while those are running.
Server-side timeouts are the solution.
 [2016-06-07 05:50 UTC] maggus dot staab at googlemail dot com
I agree that server side timeouts help for this kind of situation.

Mysql supports server side statement timeout since 5.7.4, see http://mysqlserverteam.com/server-side-select-statement-timeouts/ , which is not bundled on ubuntu 14 lts...

Ubuntu12 and 14 lts both are used pretty frequently but doesnt support this kind of timeouts out of the box :-/
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Oct 20 15:01:25 2020 UTC