Bug #54169 [Com]: Garbage Pointers returned for (n)varchar(max) columns (SQL Server)

[a dot schilder at gmx dot de]

Edit report at https://bugs.php.net/bug.php?id=54169&edit=1

 ID:                 54169
 Comment by:         a dot schilder at gmx dot de
 Reported by:        auroraeosr...@php.net
 Summary:            Garbage Pointers returned for (n)varchar(max)
                     columns (SQL Server)
 Status:             Assigned
 Type:               Bug
 Package:            PDO related
 Operating System:   Any
 PHP Version:        Irrelevant
 Assigned To:        auroraeosrose
 Block user comment: N
 Private report:     N

 New Comment:

This bug is really evil and should be treated as a security issue.

In one case I got the content of a previously loaded PHP file instead of the 
requested field data, so it's possible that the content of sensitive files is 
returned and shown.


Previous Comments:
------------------------------------------------------------------------
[2011-05-12 10:58:33] bugs dot php at pixbox dot co dot uk

I'm experiencing the same issue, using PHP 5, a Microsoft SQL Server 2008, and 
a 
direct ODBC connection.

My workaround was to alter the nvarchar(max) columns to nvarchar(n) where n is 
whatever the suitable size for that column was, or text.

The really strange thing was that when it was returning gibberish, it returned 
snippets of PHP code from the page that ran the query!

------------------------------------------------------------------------
[2011-03-05 17:06:22] auroraeosr...@php.net

Description:
------------
I found an issue this week that exists in both odbc and pdo_odbc with
SQL Server.  The ODBC implemention of Windows returns 0 as the length
for for varchar(max) and nvarchar(max).  This makes the allocation of
the strings incorrect and you get back garbage pointers for the
contents.

This was a pretty easy fix for pdo_odbc, simply check if the colsize
is returned as 0 and the type is one of the varchar types, if so
always treat it as a column with "long" data.  This works perfectly
without breaking things.  Attached is a patch that works for both 5.3
and trunk, includes an additional test for the issue.

ODBC shows the same issue - don't have a fix for that

Occurs in all versions of PHP

There are multiple bug reports concerning this and related to it - I'll try to 
gather them all up (later)

Test script:
---------------
$db = new PDO('odbc:yourdsnhere', 'username', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->exec('CREATE TABLE testing(id INT NOT NULL PRIMARY KEY, data 
varchar(max))');
$insert = $db->prepare('INSERT INTO testing VALUES (?, ?)');
$insert->execute(array(1, str_repeat('i', 500)));
$stmt = $db->query('select * from testing');
var_dump($stmt->fetchAll());

unset($db, $insert, $smt);

// This shows the same issue in odbc
$db = odbc_connect ('yourdsnhere', 'username', 'password');
$stmt = odbc_exec($db, 'select * from testing');
var_dump(odbc_fetch_array($stmt));

Expected result:
----------------
array(1) { [0]=> array(4) { ["id"]=> string(1) "1" [0]=> string(1) "1" 
["data"]=> string(500) 
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
 [1]=> string(500) 
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
 } }


Same for the odbc call

Actual result:
--------------
array(1) { [0]=> array(4) { ["id"]=> string(1) "1" [0]=> string(1) "1" 
["data"]=> string(500) 
"�-\
p-\
!������ˆòE
���
����ii����iiii!���!���select
 * from 
foo�iiiiii���!�������hall�iiiiiii!������ÀùE

�������ii��������1���!���­|a���ìòE
áE
����ðE
��������stmt����!���1���(áE

���
�������������1���!�������������������`óE
Ã
 ÃµE
$E
 
©"��
�1���1�����������óE
����à
õE
������������€
������1���1�������������������óE
�������@éE
øëE

���!���1���Ã
 
óE
ô
��
��������������
��!���iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
 [1]=> string(500) 
"�-\
p-\
!������ˆòE
���
����ii����iiii!���!���select
 * from 
foo�iiiiii���!�������hall�iiiiiii!������ÀùE

�������ii��������1���!���­|a���ìòE
áE
����ðE
��������stmt����!���1���(áE

���
�������������1���!�������������������`óE
Ã
 ÃµE
$E
 
©"��
�1���1�����������óE
����à
õE
������������€
������1���1�������������������óE
�������@éE
øëE

���!���1���Ã
 
óE
ô
��
��������������
��!���iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
 } } array(2) { ["id"]=> string(1) "1" ["data"]=> string(500) 
"�èE
8öE
p�����HöE
HöE
$.\
päE
����icrosoft][SQL 
Server Native Client 10.0]String data, right 
truncation�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"
 } 


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=54169&edit=1