diff options
| author | Damien Regad <dregad@mantisbt.org> | 2016-05-26 13:33:55 +0200 |
|---|---|---|
| committer | Damien Regad <dregad@mantisbt.org> | 2016-09-06 17:31:03 +0200 |
| commit | bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8 (patch) | |
| tree | 1f0f7ddc42230862547adbfc9b0c0bb1a5d1b420 /drivers | |
| parent | bfb32f996ece70578ca9189dff026b19e46bb61d (diff) | |
| download | adodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.tar.gz adodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.tar.bz2 adodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.zip | |
PDO: fix incorrect quoting allowing SQL injection
The PDO driver was relying on ADOConnection::qstr() for quoting strings.
An application relying on qstr() to manually prepare SQL statements
rather than using parameterized queries may be vulnerable to SQL
injection attacks, as demonstrated by @jdavidlists.
This commit delegates string quoting to PDO::quote() when a connection
is available. If not, it simply replaces single quotes by the value of
$replaceQuote property.
Fixes #226
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/adodb-pdo.inc.php | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/drivers/adodb-pdo.inc.php b/drivers/adodb-pdo.inc.php index e3f49a4f..63a3e6e0 100644 --- a/drivers/adodb-pdo.inc.php +++ b/drivers/adodb-pdo.inc.php @@ -518,6 +518,30 @@ class ADODB_pdo extends ADOConnection { { return ($this->_connectionID) ? $this->_connectionID->lastInsertId() : 0; } + + /** + * Quotes a string to be sent to the database. + * If we have an active connection, delegates quoting to the underlying + * PDO object. Otherwise, replace "'" by the value of $replaceQuote (same + * behavior as mysqli driver) + * @param string $s The string to quote + * @param boolean $magic_quotes If false, use PDO::quote(). + * @return string Quoted string + */ + function qstr($s, $magic_quotes = false) + { + if (!$magic_quotes) { + if ($this->_connectionID) { + return $this->_connectionID->quote($s); + } + return "'" . str_replace("'", $this->replaceQuote, $s) . "'"; + } + + // undo magic quotes for " + $s = str_replace('\\"', '"', $s); + return "'$s'"; + } + } class ADODB_pdo_base extends ADODB_pdo { |
