summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorDamien Regad <dregad@mantisbt.org>2016-05-26 13:33:55 +0200
committerDamien Regad <dregad@mantisbt.org>2016-09-06 17:31:03 +0200
commitbd9eca9f40220f9918ec3cc7ae9ef422b3e448b8 (patch)
tree1f0f7ddc42230862547adbfc9b0c0bb1a5d1b420 /drivers
parentbfb32f996ece70578ca9189dff026b19e46bb61d (diff)
downloadadodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.tar.gz
adodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.tar.bz2
adodb-bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8.zip
PDO: fix incorrect quoting allowing SQL injection
The PDO driver was relying on ADOConnection::qstr() for quoting strings. An application relying on qstr() to manually prepare SQL statements rather than using parameterized queries may be vulnerable to SQL injection attacks, as demonstrated by @jdavidlists. This commit delegates string quoting to PDO::quote() when a connection is available. If not, it simply replaces single quotes by the value of $replaceQuote property. Fixes #226
Diffstat (limited to 'drivers')
-rw-r--r--drivers/adodb-pdo.inc.php24
1 files changed, 24 insertions, 0 deletions
diff --git a/drivers/adodb-pdo.inc.php b/drivers/adodb-pdo.inc.php
index e3f49a4f..63a3e6e0 100644
--- a/drivers/adodb-pdo.inc.php
+++ b/drivers/adodb-pdo.inc.php
@@ -518,6 +518,30 @@ class ADODB_pdo extends ADOConnection {
{
return ($this->_connectionID) ? $this->_connectionID->lastInsertId() : 0;
}
+
+ /**
+ * Quotes a string to be sent to the database.
+ * If we have an active connection, delegates quoting to the underlying
+ * PDO object. Otherwise, replace "'" by the value of $replaceQuote (same
+ * behavior as mysqli driver)
+ * @param string $s The string to quote
+ * @param boolean $magic_quotes If false, use PDO::quote().
+ * @return string Quoted string
+ */
+ function qstr($s, $magic_quotes = false)
+ {
+ if (!$magic_quotes) {
+ if ($this->_connectionID) {
+ return $this->_connectionID->quote($s);
+ }
+ return "'" . str_replace("'", $this->replaceQuote, $s) . "'";
+ }
+
+ // undo magic quotes for "
+ $s = str_replace('\\"', '"', $s);
+ return "'$s'";
+ }
+
}
class ADODB_pdo_base extends ADODB_pdo {