php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79269 Bundled SQLite is compiled without SQLITE_MAX_VARIABLE_NUMBER
Submitted: 2020-02-13 00:28 UTC Modified: 2020-12-22 16:52 UTC
From: effulgentsia1 at gmail dot com Assigned:
Status: Wont fix Package: PDO SQLite
PHP Version: 7.3.14 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: effulgentsia1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-02-13 00:28 UTC] effulgentsia1 at gmail dot com
Description:
------------
PHP 7.4 unbundled the SQLite library, so benefits from how it was compiled on the system. Many systems (Mac OSX, Debian, Ubuntu, and others) compile it with SQLITE_MAX_VARIABLE_NUMBER=250000 or larger (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717900).

PHP 7.3 doesn't specify the flag (https://github.com/php/php-src/blob/PHP-7.3/ext/sqlite3/config0.m4#L80), so gets the low default of 999 (https://www.sqlite.org/limits.html#max_variable_number).

It would be helpful if PHP 7.3 could match the Debian number, to make the test script work.

SQLite sets the default so low in order to prevent SQL injection attacks from allocating excessive memory on low memory embedded systems (https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg119067.html). However, I don't think PHP is used on such systems, and a SQL injection attack in a PHP application can already do far more harm than merely allocating 18MB of memory (72 bytes * 250000).

I also filed a similar issue for Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1798134).

Test script:
---------------
$large_array = range(0, 1000);

$db = new PDO('sqlite::memory:');
$placeholders = implode(', ', array_fill(0, count($large_array), '?'));
$stmt = $db->prepare("SELECT 1 WHERE 42 IN ($placeholders)");
var_dump($stmt->execute($large_array));


Expected result:
----------------
It should output "bool(true)", indicating that the execute() statement executed. 

Actual result:
--------------
It outputs nothing, because the execute() statement passes more arguments than the 999 limit.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-13 19:47 UTC] effulgentsia1 at gmail dot com
I also opened https://bugs.php.net/bug.php?id=79272 as a related issue.
 [2020-12-22 16:52 UTC] nikic@php.net
-Status: Open +Status: Wont fix
 [2020-12-22 16:52 UTC] nikic@php.net
7.3 is no longer actively supported, 7.4 has unbundled sqlite, so this issue is no longer applicable.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 11:01:27 2024 UTC