Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.12.2

Bug #19785 mysqli quote() security flaw
Submitted: 2013-01-15 13:19 UTC
From: empi89 Assigned: danielc
Status: Closed Package: DB (version 1.7.14)
PHP Version: 5.3.3 OS: Debian Squeeze
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 25 + 44 = ?

 
 [2013-01-15 13:19 UTC] empi89 (Peter Hansen)
Description: ------------ With mysqli driver quote() does not work as expected. Of course this function is deprecated but there should be at least an exception when using quote with mysqli as this could be a mayor security flaw. Test script: --------------- Suggestion: Add the quote method of mysql.php to mysqli.php too: // }}} // {{{ quote() /** * @deprecated Deprecated in release 1.6.0 */ function quote($str) { return $this->quoteSmart($str); } Test for verifying functionality $sql = "`identifier` = ".$db->quote('1234\\') var_dump($sql); Expected result: ---------------- string(23) "`identifier` = '1234\\'" Actual result: -------------- string(22) "`identifier` = '1234\'"

Comments

 [2014-11-20 23:02 UTC] danielc (Daniel Convissor)
-Status: Open +Status: Wont fix
mysql::quote() calls DB_common::quoteSmart() which calls mysql::escapeSimple() which calls PHP's mysql_real_escape_string() if that exists or mysql_escape_string(). If there's a problem, it's with PHP.
 [2014-11-20 23:41 UTC] empi89 (Peter Hansen)
-Status: Wont fix +Status: Closed -Assigned To: +Assigned To: empi89
Thanks Daniel! There was a fix in version 1.8.0 as there was a quote function added for mysqli and the one of db_common was used before. IMHO this was a security flaw in versions before version 1.8.0.
 [2014-11-21 01:33 UTC] danielc (Daniel Convissor)
I just released 1.8.1 which passes all quote() and quoteString() calls through quoteSmart().
 [2014-11-27 22:29 UTC] danielc (Daniel Convissor)
-Assigned To: empi89 +Assigned To: danielc