php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77729 SECURITY BUG: SQL Injection with PDO::quote()
Submitted: 2019-03-12 19:38 UTC Modified: 2019-03-12 21:37 UTC
From: bogdanteleru at yahoo dot com Assigned:
Status: Not a bug Package: PDO MySQL
PHP Version: 7.2.16 OS: MacOS Mojave v10.14.3
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bogdanteleru at yahoo dot com
New email:
PHP Version: OS:

 

 [2019-03-12 19:38 UTC] bogdanteleru at yahoo dot com
Description:
------------
---
From manual page: https://php.net/pdo.quote
---

Running PDO::quote() on a string which ends in a quote (e.g. Naughty ' string') will result in a string which ends in an escaped quote (e.g. 'Naughty \' string\'). This opens a door to SQL injection; see the vulnerability example in the 'Test script' box, below.

Test script:
---------------
$name = '; DROP TABLE `test_table`; --\'';

// Sample PDO connection; can be whatever
$conn = new PDO('sqlite:/home/lynn/music.sql3');

$query = "SELECT * FROM `students` WHERE `first_name` = '%s' OR `last_name` = '%s'";
$query = sprintf($query, $conn->quote($name), $conn->quote($name));

echo $query;


Expected result:
----------------
I'm expecting the PHP script to echo the following string:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\'' OR `last_name` = '; DROP TABLE `test_table`; --\''

However, as seen in the 'Actual result' box, it's missing the end quote each time $name was inserted into the query string. This happens because PDO::quote() doesn't add the end quote if the original string already ends in a quote, as explained in the 'Description' box.

Actual result:
--------------
The script will echo:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = '; DROP TABLE `test_table`; --\'

The above is basically two MySQL queries:
1. SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = ';
2. DROP TABLE `test_table`; // dangerous


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com
-Status: Open +Status: Closed
 [2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com
Nevermind, there's no actual bug.
 [2019-03-12 19:46 UTC] bogdanteleru at yahoo dot com
Closed
 [2019-03-12 21:37 UTC] requinix@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 18:01:29 2024 UTC