[Security] Fix sql injection in modifyLimitQuery() for PgSQL and DB2

beberlei · beberlei · commit fcaa63256e30 · 2011-03-20T20:46:05.000+01:00
diff --git a/lib/Doctrine/Connection/Db2.php b/lib/Doctrine/Connection/Db2.php
@@ -46,7 +46,7 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
             return $query;
 
         if ($offset == 0) {
-            return $query . ' FETCH FIRST '. $limit .' ROWS ONLY';
+            return $query . ' FETCH FIRST '. (int)$limit .' ROWS ONLY';
         } else {
             $sqlPieces = explode('from', $query);
             $select = $sqlPieces[0];
@@ -56,8 +56,8 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
 
             $sql = 'WITH OFFSET AS(' . $select . ', ROW_NUMBER() ' .
                'OVER(ORDER BY ' . $col[1] . ') AS doctrine_rownum FROM ' . $table . ')' .
-               $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . $offset .
-                   'AND ' . ($offset + $limit - 1);
+               $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . (int)$offset .
+                   'AND ' . ((int)$offset + (int)$limit - 1);
             return $sql;
         }
     }
diff --git a/lib/Doctrine/Connection/Pgsql.php b/lib/Doctrine/Connection/Pgsql.php
@@ -142,14 +142,14 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
                 $from  = $match[2];
                 $where = $match[3];
                 $query = $manip . ' ' . $from . ' WHERE ctid=(SELECT ctid FROM '
-                       . $from . ' ' . $where . ' LIMIT ' . $limit . ')';
+                       . $from . ' ' . $where . ' LIMIT ' . (int)$limit . ')';
 
             } else {
                 if ( ! empty($limit)) {
-                  $query .= ' LIMIT ' . $limit;
+                  $query .= ' LIMIT ' . (int)$limit;
                 }
                 if ( ! empty($offset)) {
-                  $query .= ' OFFSET ' . $offset;
+                  $query .= ' OFFSET ' . (int)$offset;
                 }
             }
         }

Original file line number	Original file line	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan`
`46`	`return $query;`	`46`	`return $query;`
`47`		`47`
`48`	`if ($offset == 0) {`	`48`	`if ($offset == 0) {`
`49`	`- return $query . ' FETCH FIRST '. $limit .' ROWS ONLY';`	`49`	`+ return $query . ' FETCH FIRST '. (int)$limit .' ROWS ONLY';`
`50`	`} else {`	`50`	`} else {`
`51`	`$sqlPieces = explode('from', $query);`	`51`	`$sqlPieces = explode('from', $query);`
`52`	`$select = $sqlPieces[0];`	`52`	`$select = $sqlPieces[0];`
`@@ -56,8 +56,8 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan`
`56`		`56`
`57`	`$sql = 'WITH OFFSET AS(' . $select . ', ROW_NUMBER() ' .`	`57`	`$sql = 'WITH OFFSET AS(' . $select . ', ROW_NUMBER() ' .`
`58`	`'OVER(ORDER BY ' . $col[1] . ') AS doctrine_rownum FROM ' . $table . ')' .`	`58`	`'OVER(ORDER BY ' . $col[1] . ') AS doctrine_rownum FROM ' . $table . ')' .`
`59`	`- $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . $offset .`	`59`	`+ $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . (int)$offset .`
`60`	`- 'AND ' . ($offset + $limit - 1);`	`60`	`+ 'AND ' . ((int)$offset + (int)$limit - 1);`
`61`	`return $sql;`	`61`	`return $sql;`
`62`	`}`	`62`	`}`
`63`	`}`	`63`	`}`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -142,14 +142,14 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan`
`142`	`$from = $match[2];`	`142`	`$from = $match[2];`
`143`	`$where = $match[3];`	`143`	`$where = $match[3];`
`144`	`$query = $manip . ' ' . $from . ' WHERE ctid=(SELECT ctid FROM '`	`144`	`$query = $manip . ' ' . $from . ' WHERE ctid=(SELECT ctid FROM '`
`145`	`- . $from . ' ' . $where . ' LIMIT ' . $limit . ')';`	`145`	`+ . $from . ' ' . $where . ' LIMIT ' . (int)$limit . ')';`
`146`		`146`
`147`	`} else {`	`147`	`} else {`
`148`	`if ( ! empty($limit)) {`	`148`	`if ( ! empty($limit)) {`
`149`	`- $query .= ' LIMIT ' . $limit;`	`149`	`+ $query .= ' LIMIT ' . (int)$limit;`
`150`	`}`	`150`	`}`
`151`	`if ( ! empty($offset)) {`	`151`	`if ( ! empty($offset)) {`
`152`	`- $query .= ' OFFSET ' . $offset;`	`152`	`+ $query .= ' OFFSET ' . (int)$offset;`
`153`	`}`	`153`	`}`
`154`	`}`	`154`	`}`
`155`	`}`	`155`	`}`