php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79269 Bundled SQLite is compiled without SQLITE_MAX_VARIABLE_NUMBER
Submitted: 2020-02-13 00:28 UTC Modified: -
From: effulgentsia1 at gmail dot com Assigned:
Status: Open Package: PDO SQLite
PHP Version: 7.3.14 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: effulgentsia1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-02-13 00:28 UTC] effulgentsia1 at gmail dot com
Description:
------------
PHP 7.4 unbundled the SQLite library, so benefits from how it was compiled on the system. Many systems (Mac OSX, Debian, Ubuntu, and others) compile it with SQLITE_MAX_VARIABLE_NUMBER=250000 or larger (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717900).

PHP 7.3 doesn't specify the flag (https://github.com/php/php-src/blob/PHP-7.3/ext/sqlite3/config0.m4#L80), so gets the low default of 999 (https://www.sqlite.org/limits.html#max_variable_number).

It would be helpful if PHP 7.3 could match the Debian number, to make the test script work.

SQLite sets the default so low in order to prevent SQL injection attacks from allocating excessive memory on low memory embedded systems (https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg119067.html). However, I don't think PHP is used on such systems, and a SQL injection attack in a PHP application can already do far more harm than merely allocating 18MB of memory (72 bytes * 250000).

I also filed a similar issue for Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1798134).

Test script:
---------------
$large_array = range(0, 1000);

$db = new PDO('sqlite::memory:');
$placeholders = implode(', ', array_fill(0, count($large_array), '?'));
$stmt = $db->prepare("SELECT 1 WHERE 42 IN ($placeholders)");
var_dump($stmt->execute($large_array));


Expected result:
----------------
It should output "bool(true)", indicating that the execute() statement executed. 

Actual result:
--------------
It outputs nothing, because the execute() statement passes more arguments than the 999 limit.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-13 19:47 UTC] effulgentsia1 at gmail dot com
I also opened https://bugs.php.net/bug.php?id=79272 as a related issue.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Oct 19 16:01:24 2020 UTC