php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79269 Bundled SQLite is compiled without SQLITE_MAX_VARIABLE_NUMBER
Submitted: 2020-02-13 00:28 UTC Modified: -
From: effulgentsia1 at gmail dot com Assigned:
Status: Open Package: PDO SQLite
PHP Version: 7.3.14 OS: All
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-13 00:28 UTC] effulgentsia1 at gmail dot com
Description:
------------
PHP 7.4 unbundled the SQLite library, so benefits from how it was compiled on the system. Many systems (Mac OSX, Debian, Ubuntu, and others) compile it with SQLITE_MAX_VARIABLE_NUMBER=250000 or larger (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717900).

PHP 7.3 doesn't specify the flag (https://github.com/php/php-src/blob/PHP-7.3/ext/sqlite3/config0.m4#L80), so gets the low default of 999 (https://www.sqlite.org/limits.html#max_variable_number).

It would be helpful if PHP 7.3 could match the Debian number, to make the test script work.

SQLite sets the default so low in order to prevent SQL injection attacks from allocating excessive memory on low memory embedded systems (https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg119067.html). However, I don't think PHP is used on such systems, and a SQL injection attack in a PHP application can already do far more harm than merely allocating 18MB of memory (72 bytes * 250000).

I also filed a similar issue for Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1798134).

Test script:
---------------
$large_array = range(0, 1000);

$db = new PDO('sqlite::memory:');
$placeholders = implode(', ', array_fill(0, count($large_array), '?'));
$stmt = $db->prepare("SELECT 1 WHERE 42 IN ($placeholders)");
var_dump($stmt->execute($large_array));


Expected result:
----------------
It should output "bool(true)", indicating that the execute() statement executed. 

Actual result:
--------------
It outputs nothing, because the execute() statement passes more arguments than the 999 limit.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-13 19:47 UTC] effulgentsia1 at gmail dot com
I also opened https://bugs.php.net/bug.php?id=79272 as a related issue.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 22 16:01:24 2020 UTC