Skip to content

Loading…

DBAL-164: Quoting allows SQL injections #1321

Closed
doctrinebot opened this Issue · 4 comments

2 participants

@doctrinebot

Jira issue originally created by user ogmueller:

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

@doctrinebot

Comment created by @guilhermeblanco:

Fixed in 82cc921

@doctrinebot

Issue was closed with resolution "Fixed"

@doctrinebot

Comment created by @beberlei:

Backported to 2.0.9

@doctrinebot

Comment created by @beberlei:

Fix was modified to use the Zend Framework code for quoting OCI input: 97638ed

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

@doctrinebot doctrinebot added the Bug label
@doctrinebot doctrinebot added this to the 2.1.3 milestone
@doctrinebot doctrinebot closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.