Sec Bug->Bug #62978 [Csd]: pg_select() and similar are vulnerable to SQL injection via identifier

Mon, 05 Aug 2013 03:04:24 -0700 

Edit report at https://bugs.php.net/bug.php?id=62978&edit=1

 ID:                 62978
 Updated by:         yohg...@php.net
 Reported by:        slokunshialgo at gmail dot com
 Summary:            pg_select() and similar are vulnerable to SQL
                     injection via identifier
 Status:             Closed
-Type:               Security
+Type:               Bug
 Package:            PostgreSQL related
 Operating System:   *
 PHP Version:        5.3 - master
 Assigned To:        yohgaki
 Block user comment: N
 Private report:     Y

 New Comment:

This fix is treated as security enhancement, so 5.3 branch won't be fixed.


Previous Comments:
------------------------------------------------------------------------
[2013-08-05 10:01:11] yohg...@php.net

Fixed. 

http://git.php.net/?p=php-
src.git;a=commitdiff;h=cb8d1fc7f913085117da109f89a1e5a6cb535c09

------------------------------------------------------------------------
[2013-06-30 21:30:40] yohg...@php.net

I've made patch against PHP-5.3

https://github.com/yohgaki/php-src/compare/PHP-5.3-pg_select_fix

It passes tests with PostgreSQL 9.2, but it should be tested with 8.4 or less.
This patch supposed to be able to merge upto master, but not tested yet.

------------------------------------------------------------------------
[2013-06-29 20:49:22] yohg...@php.net

Changed Summary to descriptive one.

------------------------------------------------------------------------
[2013-06-29 20:39:23] yohg...@php.net

I think this problem existed from the beginning. So any version which have 
pg_select()/etc are affected.

------------------------------------------------------------------------
[2013-06-29 20:36:10] yohg...@php.net

This is the way it is supposed to use. pg_select() and similar functions should 
automatically escape string vars, and they do. 

pg_select($db, 't1',['str'=>"It's a string"]);
produces
LOG:  文: SELECT * FROM t1 WHERE str='It''s a string';
Note that string is properly escaped.

However, they don't escape identifier. This should be fixed.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=62978


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62978&edit=1

Reply via email to