From: icemaze at tiscalinet dot it
Operating system: Linux 2.6
PHP version: 4.3.3
PHP Bug Type: MySQL related
Bug description: mysql_escape_string() and mysql_real_escape_string() should escape
backquotes
Description:
------------
I think mysql_escape_string() and
mysql_real_escape_string() should escape backquotes to
avoid potential security problems in case an application
uses an input field as the name for a table or for a
field. So...
Reproduce code:
---------------
<?
$name = $_POST["name"];
$ename = mysql_real_escape_string($name);
print("'$name' => '$ename'");
@mysql_query("INSERT INTO `$ename` SET `blah`='blah'");
?>
Expected result:
----------------
'` SET `protectedfield`=1' => '\` SET \`protectedfield
\`=1'
Actual result:
--------------
'` SET `protectedfield`=1' => '` SET `protectedfield`=1'
This way the query modifies a field which was not supposed
to be modified.
--
Edit bug report at http://bugs.php.net/?id=26230&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26230&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26230&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26230&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26230&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26230&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=26230&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26230&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26230&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26230&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26230&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26230&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26230&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26230&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26230&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26230&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26230&r=float
