From:  danielc@analysisandsolutions.com
Date:  28 Nov 2014 01:29:04 Hong Kong Time
Newsgroup:  news.php.net/php.pear.bugs
Subject:  

[PEAR-BUG] Bug #19785 [Csd]: mysqli quote() security flaw

NNTP-Posting-Host:  null

Edit report at https://pear.php.net/bugs/bug.php?id=19785&edit=1

 ID:               19785
 Updated by:       danielc@analysisandsolutions.com
 Reported By:      peter dot hansen at myloc dot de
 Summary:          mysqli quote() security flaw
 Status:           Closed
 Type:             Bug
 Package:          DB
 Operating System: Debian Squeeze
 Package Version:  1.7.14
 PHP Version:      5.3.3
-Assigned To:      empi89
+Assigned To:      danielc
 Roadmap Versions: 
 New Comment:

-Assigned To: empi89
+Assigned To: danielc



Previous Comments:
------------------------------------------------------------------------

[2014-11-20 20:33:54] danielc

I just released 1.8.1 which passes all quote() and quoteString() calls
through quoteSmart().

------------------------------------------------------------------------

[2014-11-20 18:41:47] empi89

-Status:      Wont fix
+Status:      Closed
-Assigned To:
+Assigned To: empi89
Thanks Daniel!

There was a fix in version 1.8.0 as there was a quote function added for
mysqli and the 
one of db_common was used before. 

IMHO this was a security flaw in versions before version 1.8.0.

------------------------------------------------------------------------

[2014-11-20 18:02:14] danielc

-Status: Open
+Status: Wont fix
mysql::quote() calls DB_common::quoteSmart() which calls
mysql::escapeSimple() which calls PHP's mysql_real_escape_string() if
that exists or mysql_escape_string().

If there's a problem, it's with PHP.

------------------------------------------------------------------------

[2013-01-15 08:19:41] empi89

Description:
------------
With mysqli driver quote() does not work as expected. Of course 
this function is deprecated but there should be at least an 
exception when using quote with mysqli as this could be a mayor 
security flaw. 

Test script:
---------------
Suggestion: Add the quote method of mysql.php to mysqli.php too:
// }}}
// {{{ quote()

/**
 * @deprecated  Deprecated in release 1.6.0
 */
function quote($str)
{
    return $this->quoteSmart($str);
}


Test for verifying functionality 
$sql = "`identifier` = ".$db->quote('1234\\')
var_dump($sql);


Expected result:
----------------
string(23) "`identifier` = '1234\\'"

Actual result:
--------------
string(22) "`identifier` = '1234\'"

------------------------------------------------------------------------


-- 
Edit this bug report at https://pear.php.net/bugs/bug.php?id=19785&edit=1