php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77729 SECURITY BUG: SQL Injection with PDO::quote()
Submitted: 2019-03-12 19:38 UTC Modified: 2019-03-12 21:37 UTC
From: bogdanteleru at yahoo dot com Assigned:
Status: Not a bug Package: PDO MySQL
PHP Version: 7.2.16 OS: MacOS Mojave v10.14.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bogdanteleru at yahoo dot com
New email:
PHP Version: OS:

 

 [2019-03-12 19:38 UTC] bogdanteleru at yahoo dot com 
Description:
------------
---
From manual page: https://php.net/pdo.quote
---

Running PDO::quote() on a string which ends in a quote (e.g. Naughty ' string') will result in a string which ends in an escaped quote (e.g. 'Naughty \' string\'). This opens a door to SQL injection; see the vulnerability example in the 'Test script' box, below.

Test script:
---------------
$name = '; DROP TABLE `test_table`; --\'';

// Sample PDO connection; can be whatever
$conn = new PDO('sqlite:/home/lynn/music.sql3');

$query = "SELECT * FROM `students` WHERE `first_name` = '%s' OR `last_name` = '%s'";
$query = sprintf($query, $conn->quote($name), $conn->quote($name));

echo $query;


Expected result:
----------------
I'm expecting the PHP script to echo the following string:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\'' OR `last_name` = '; DROP TABLE `test_table`; --\''

However, as seen in the 'Actual result' box, it's missing the end quote each time $name was inserted into the query string. This happens because PDO::quote() doesn't add the end quote if the original string already ends in a quote, as explained in the 'Description' box.

Actual result:
--------------
The script will echo:
SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = '; DROP TABLE `test_table`; --\'

The above is basically two MySQL queries:
1. SELECT * FROM `students` WHERE `first_name` = '; DROP TABLE `test_table`; --\' OR `last_name` = ';
2. DROP TABLE `test_table`; // dangerous

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com
-Status: Open +Status: Closed
 [2019-03-12 19:45 UTC] bogdanteleru at yahoo dot com 
Nevermind, there's no actual bug.
 [2019-03-12 19:46 UTC] bogdanteleru at yahoo dot com 
Closed
 [2019-03-12 21:37 UTC] requinix@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 21:01:29 2024 UTC