Skip to content
Permalink
Browse files Browse the repository at this point in the history
PDO: fix incorrect quoting allowing SQL injection
The PDO driver was relying on ADOConnection::qstr() for quoting strings.
An application relying on qstr() to manually prepare SQL statements
rather than using parameterized queries may be vulnerable to SQL
injection attacks, as demonstrated by @jdavidlists.

This commit delegates string quoting to PDO::quote() when a connection
is available. If not, it simply replaces single quotes by the value of
$replaceQuote property.

Fixes #226
  • Loading branch information
dregad committed Sep 6, 2016
1 parent bfb32f9 commit bd9eca9
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions drivers/adodb-pdo.inc.php
Expand Up @@ -518,6 +518,30 @@ function _insertid()
{
return ($this->_connectionID) ? $this->_connectionID->lastInsertId() : 0;
}

/**
* Quotes a string to be sent to the database.
* If we have an active connection, delegates quoting to the underlying
* PDO object. Otherwise, replace "'" by the value of $replaceQuote (same
* behavior as mysqli driver)
* @param string $s The string to quote
* @param boolean $magic_quotes If false, use PDO::quote().
* @return string Quoted string
*/
function qstr($s, $magic_quotes = false)
{
if (!$magic_quotes) {
if ($this->_connectionID) {
return $this->_connectionID->quote($s);
}
return "'" . str_replace("'", $this->replaceQuote, $s) . "'";
}

// undo magic quotes for "
$s = str_replace('\\"', '"', $s);
return "'$s'";
}

}

class ADODB_pdo_base extends ADODB_pdo {
Expand Down

0 comments on commit bd9eca9

Please sign in to comment.