grammars can escape values for safe embedding in sql queries

laravel · Mar 23, 2023 · 5eb1c54 · 5eb1c54
1 parent 7046e9b
commit 5eb1c54
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 9 deletions.
diff --git a/src/Illuminate/Database/Connection.php b/src/Illuminate/Database/Connection.php
@@ -257,7 +257,10 @@ public function useDefaultQueryGrammar()
      */
     protected function getDefaultQueryGrammar()
     {
-        return new QueryGrammar;
+        $grammar = new QueryGrammar();
+        $grammar->setConnection($this);
+
+        return $grammar;
     }
 
     /**

diff --git a/src/Illuminate/Database/Grammar.php b/src/Illuminate/Database/Grammar.php
@@ -10,6 +10,13 @@ abstract class Grammar
 {
     use Macroable;
 
+    /**
+     * The connection used for escaping values.
+     *
+     * @var \Illuminate\Database\Connection
+     */
+    protected $connection = null;
+
     /**
      * The grammar table prefix.
      *
@@ -196,6 +203,32 @@ public function quoteString($value)
         return "'$value'";
     }
 
+    /**
+     * Escapes a value to use it for safe SQL embedding.
+     *
+     * @param  string|float|int  $value
+     * @return string
+     */
+    public function escape($value)
+    {
+        if (null === $this->connection) {
+            throw new RuntimeException('The grammar has no connection to escape any value.');
+        }
+
+        // The documentation of PDO::quote states that it should be theoretically safe to use a quoted string within
+        // a SQL query. While only being "theoretically" safe this behaviour is used within the PHP MySQL driver all the
+        // time as no real prepared statements are used because it is emulating prepares by default. All remaining known
+        // SQL injections are always some strange charset conversion tricks that start by using invalid UTF-8 sequences.
+        // But those attacks are fixed by setting the proper connection charset which is done by the standard Laravel
+        // configuration. To further secure the implementation we can scrub the value by checking for invalid UTF-8
+        // sequences.
+        if (false === preg_match('//u', (string) $value)) {
+            throw new RuntimeException('The value contains an invalid UTF-8 byte sequence.');
+        }
+
+        return $this->connection->getReadPdo()->quote($value);
+    }
+
     /**
      * Determine if the given value is a raw expression.
      *
@@ -254,4 +287,17 @@ public function setTablePrefix($prefix)
 
         return $this;
     }
+
+    /**
+     * Set the grammar's database connection.
+     *
+     * @param  \Illuminate\Database\Connection  $prefix
+     * @return $this
+     */
+    public function setConnection($connection)
+    {
+        $this->connection = $connection;
+
+        return $this;
+    }
 }
diff --git a/src/Illuminate/Database/MySqlConnection.php b/src/Illuminate/Database/MySqlConnection.php
@@ -30,7 +30,10 @@ public function isMaria()
      */
     protected function getDefaultQueryGrammar()
     {
-        return $this->withTablePrefix(new QueryGrammar);
+        $grammar = new QueryGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**
@@ -54,7 +57,10 @@ public function getSchemaBuilder()
      */
     protected function getDefaultSchemaGrammar()
     {
-        return $this->withTablePrefix(new SchemaGrammar);
+        $grammar = new SchemaGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**

diff --git a/src/Illuminate/Database/PostgresConnection.php b/src/Illuminate/Database/PostgresConnection.php
@@ -19,7 +19,10 @@ class PostgresConnection extends Connection
      */
     protected function getDefaultQueryGrammar()
     {
-        return $this->withTablePrefix(new QueryGrammar);
+        $grammar = new QueryGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**
@@ -43,7 +46,10 @@ public function getSchemaBuilder()
      */
     protected function getDefaultSchemaGrammar()
     {
-        return $this->withTablePrefix(new SchemaGrammar);
+        $grammar = new SchemaGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**

diff --git a/src/Illuminate/Database/SQLiteConnection.php b/src/Illuminate/Database/SQLiteConnection.php
@@ -43,7 +43,10 @@ public function __construct($pdo, $database = '', $tablePrefix = '', array $conf
      */
     protected function getDefaultQueryGrammar()
     {
-        return $this->withTablePrefix(new QueryGrammar);
+        $grammar = new QueryGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**
@@ -67,7 +70,10 @@ public function getSchemaBuilder()
      */
     protected function getDefaultSchemaGrammar()
     {
-        return $this->withTablePrefix(new SchemaGrammar);
+        $grammar = new SchemaGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**

diff --git a/src/Illuminate/Database/SqlServerConnection.php b/src/Illuminate/Database/SqlServerConnection.php
@@ -61,7 +61,10 @@ public function transaction(Closure $callback, $attempts = 1)
      */
     protected function getDefaultQueryGrammar()
     {
-        return $this->withTablePrefix(new QueryGrammar);
+        $grammar = new QueryGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**
@@ -85,7 +88,10 @@ public function getSchemaBuilder()
      */
     protected function getDefaultSchemaGrammar()
     {
-        return $this->withTablePrefix(new SchemaGrammar);
+        $grammar = new SchemaGrammar();
+        $grammar->setConnection($this);
+
+        return $this->withTablePrefix($grammar);
     }
 
     /**