DBAL-164: Quoting allows SQL injections #1321

Closed
doctrinebot opened this Issue Sep 10, 2011 · 4 comments

2 participants

@doctrinebot

Jira issue originally created by user ogmueller:

$test = "foo ' bar";
$quoted = $conn->quote( $test );
echo $quoted;

RESULT: 'foo ' bar'
EXPECTED: 'foo \' bar'

@doctrinebot

Comment created by @guilhermeblanco:

Fixed in 82cc921

@doctrinebot

Issue was closed with resolution "Fixed"

@doctrinebot

Comment created by @beberlei:

Backported to 2.0.9

@doctrinebot

Comment created by @beberlei:

Fix was modified to use the Zend Framework code for quoting OCI input: 97638ed

This code is now in DBAL 2.1.4 and 2.0.9 and i have added some tests to very some simple SQL Injection vectors don't work on any supported platform.

@doctrinebot doctrinebot added the Bug label Dec 6, 2015
@doctrinebot doctrinebot added this to the 2.1.3 milestone Dec 6, 2015
@doctrinebot doctrinebot closed this Dec 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment