Skip to content
Browse files

[Security] Fix sql injection in modifyLimitQuery() for PgSQL and DB2

  • Loading branch information...
1 parent 728e669 commit fcaa63256e306f312ad545a77b97134f5764c0b7 @beberlei beberlei committed Mar 20, 2011
Showing with 6 additions and 6 deletions.
  1. +3 −3 lib/Doctrine/Connection/Db2.php
  2. +3 −3 lib/Doctrine/Connection/Pgsql.php
View
6 lib/Doctrine/Connection/Db2.php
@@ -46,7 +46,7 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
return $query;
if ($offset == 0) {
- return $query . ' FETCH FIRST '. $limit .' ROWS ONLY';
+ return $query . ' FETCH FIRST '. (int)$limit .' ROWS ONLY';
} else {
$sqlPieces = explode('from', $query);
$select = $sqlPieces[0];
@@ -56,8 +56,8 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
$sql = 'WITH OFFSET AS(' . $select . ', ROW_NUMBER() ' .
'OVER(ORDER BY ' . $col[1] . ') AS doctrine_rownum FROM ' . $table . ')' .
- $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . $offset .
- 'AND ' . ($offset + $limit - 1);
+ $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . (int)$offset .
+ 'AND ' . ((int)$offset + (int)$limit - 1);
return $sql;
}
}
View
6 lib/Doctrine/Connection/Pgsql.php
@@ -142,14 +142,14 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
$from = $match[2];
$where = $match[3];
$query = $manip . ' ' . $from . ' WHERE ctid=(SELECT ctid FROM '
- . $from . ' ' . $where . ' LIMIT ' . $limit . ')';
+ . $from . ' ' . $where . ' LIMIT ' . (int)$limit . ')';
} else {
if ( ! empty($limit)) {
- $query .= ' LIMIT ' . $limit;
+ $query .= ' LIMIT ' . (int)$limit;
}
if ( ! empty($offset)) {
- $query .= ' OFFSET ' . $offset;
+ $query .= ' OFFSET ' . (int)$offset;
}
}
}

0 comments on commit fcaa632

Please sign in to comment.
Something went wrong with that request. Please try again.