| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.12.2 |
| Bug #19785 | mysqli quote() security flaw | ||
|---|---|---|---|
| Submitted: | 2013-01-15 13:19 UTC | ||
| From: | empi89 | Assigned: | danielc |
| Status: | Closed | Package: | DB (version 1.7.14) |
| PHP Version: | 5.3.3 | OS: | Debian Squeeze |
| Roadmaps: | (Not assigned) | ||
[2013-01-15 13:19 UTC] empi89
(Peter Hansen)
Description:
------------
With mysqli driver quote() does not work as expected. Of course
this function is deprecated but there should be at least an
exception when using quote with mysqli as this could be a mayor
security flaw.
Test script:
---------------
Suggestion: Add the quote method of mysql.php to mysqli.php too:
// }}}
// {{{ quote()
/**
* @deprecated Deprecated in release 1.6.0
*/
function quote($str)
{
return $this->quoteSmart($str);
}
Test for verifying functionality
$sql = "`identifier` = ".$db->quote('1234\\')
var_dump($sql);
Expected result:
----------------
string(23) "`identifier` = '1234\\'"
Actual result:
--------------
string(22) "`identifier` = '1234\'"
Comments
[2014-11-20 23:02 UTC] danielc
(Daniel Convissor)
-Status: Open
+Status: Wont fix
mysql::quote() calls DB_common::quoteSmart() which calls mysql::escapeSimple() which calls PHP's mysql_real_escape_string() if that exists or mysql_escape_string().
If there's a problem, it's with PHP. [2014-11-20 23:41 UTC] empi89
(Peter Hansen)
-Status: Wont fix
+Status: Closed
-Assigned To:
+Assigned To: empi89
Thanks Daniel!
There was a fix in version 1.8.0 as there was a quote function added for mysqli and the
one of db_common was used before.
IMHO this was a security flaw in versions before version 1.8.0. [2014-11-21 01:33 UTC] danielc
(Daniel Convissor)
I just released 1.8.1 which passes all quote() and quoteString() calls through quoteSmart().