Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.12.2

Bug #19785 mysqli quote() security flaw
Submitted: 2013-01-15 13:19 UTC
From: empi89 Assigned: danielc
Status: Closed Package: DB (version 1.7.14)
PHP Version: 5.3.3 OS: Debian Squeeze
Roadmaps: (Not assigned)    
Subscription  


 [2013-01-15 13:19 UTC] empi89 (Peter Hansen)
Description: ------------ With mysqli driver quote() does not work as expected. Of course this function is deprecated but there should be at least an exception when using quote with mysqli as this could be a mayor security flaw. Test script: --------------- Suggestion: Add the quote method of mysql.php to mysqli.php too: // }}} // {{{ quote() /** * @deprecated Deprecated in release 1.6.0 */ function quote($str) { return $this->quoteSmart($str); } Test for verifying functionality $sql = "`identifier` = ".$db->quote('1234\\') var_dump($sql); Expected result: ---------------- string(23) "`identifier` = '1234\\'" Actual result: -------------- string(22) "`identifier` = '1234\'"

Comments

 [2014-11-20 23:02 UTC] danielc (Daniel Convissor)
-Status: Open +Status: Wont fix
mysql::quote() calls DB_common::quoteSmart() which calls mysql::escapeSimple() which calls PHP's mysql_real_escape_string() if that exists or mysql_escape_string(). If there's a problem, it's with PHP.
 [2014-11-20 23:41 UTC] empi89 (Peter Hansen)
-Status: Wont fix +Status: Closed -Assigned To: +Assigned To: empi89
Thanks Daniel! There was a fix in version 1.8.0 as there was a quote function added for mysqli and the one of db_common was used before. IMHO this was a security flaw in versions before version 1.8.0.
 [2014-11-21 01:33 UTC] danielc (Daniel Convissor)
I just released 1.8.1 which passes all quote() and quoteString() calls through quoteSmart().
 [2014-11-27 22:29 UTC] danielc (Daniel Convissor)
-Assigned To: empi89 +Assigned To: danielc