Implemented request #64810 (impossible to load extension via pdo_sqlite) #3368
Conversation
|
Test and stuff finally pass. |
cwt137
changed the title
|
I changed branch to master so that this can be included in PHP 7.3. I also updated the title so it is hopefully more appropriate. I hear the feature freeze is on the 17th. What can I do to make sure this makes the deadline? |
|
Would love to see this in PHP 7.3. Ping @cmb69 and @smalyshev ! |
|
This PR is similar to #2698, and as such should at least be discussed on internals@. |
|
Loading binaries at runtime creates all kinds of tricky situations IMHO, even in single-threaded servers. Does it really needs to be happen at runtime? Maybe have INI value that pre-loads all needed extensions would be better? |
|
How is that different from SQLite3::loadExtension()? |
|
indeed, not very different. So I guess if PDO maintainers are fine with it, then ok, but since it's in PDO probably needs to be discussed. |
|
@cmb69 This is totally different than that PR. That PR is about getting blob data from a result as a stream? This PR is basically to add functionality to SQLite via its extensions system. The only thing similar is that both PRs add a sqlite instance method onto the PDO class. @BenMorel This PR implements the same functionality as @smalyshev It shouldn't be an ini setting because on every request that uses pdo_sqlite would load the extension. Also, you might want to load a different extension, depending on what the request is. This is why I think the people who created the original method for the SQLite3 API implemented it this way. I am trying to make sure PDO has the same functionality as SQLite3. |
|
@cwt137 I know, I was reacting to @smalyshev's comment. However, I just realized that your PR adds a Is there any reason why you couldn't just add support for |
|
Nobody knows why the select statement doesn’t work. Is it a problem with PHP or SQLite? Who knows. So, I provided a solution that would make it easy for people to transition to PDO.
… On Jul 10, 2018, at 10:25 PM, Benjamin Morel ***@***.***> wrote:
@cwt137 I know, I was reacting to @smalyshev's comment.
However, I just realized that your PR adds a sqliteLoadExtension() method to PDO, which makes it similar in this matter to #2698 indeed (this is what @cmb69 meant), and IMHO is not a good thing to do: PDO should stay as generic as possible.
Is there any reason why you couldn't just add support for SELECT LOAD_EXTENSION(), which is what the original PHP bug is about, and which wouldn't require a new PDO method?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
|
|
What about creating an ini option to enable SQLite LOAD EXTENSION in PDO then? Something like: This would be off by default to keep the current behaviour. This would avoid having to add a SQLite-specific method to PDO (which again, IMO is not a good idea), and we could use |
|
Just noficed that the So I stand with my suggestion above, ini option |
|
I forgot about this function. Like you said, the ability to load a SQLite extention is turned on temporarily. This is for security reasons. Turning on the loading of extensions could be done on initializing pdo_sqlite, but a hacker could load an extension using the select statement if they used SQL injection. |
|
To me, SQL injection is a thing of the past. If you're using prepared statements, you should never ever have to build a query string from a user-originated variable, so this is a non-issue. This is just my opinion, of course. |
# Conflicts: # ext/pdo_sqlite/config.m4 # ext/pdo_sqlite/config.w32
|
@BenNorel I agree with you 100%! Everybody should be parameterizing their SQL. But unfortunately it is not the case and it is the #1 security hole/threat/whatever according to OWASP. Also, I do not think it is a good idea removing the current 3 PDO methods for SQLite. They provide a valuable purpose and because of the unique nature of SQLite, there is no equivalent in other SQL databases. For example, in SQLite, you create your own user defined function (UDF) in PHP and have the database use it. But, the UDF does not run on the database, but runs in the programming language that created the UDF. Here is one big usecase; because the default build of SQLite does not have any trigonometric functions, you must use PHP to create a UDF to use inside of PHP. This is accomplished by using one of the 3 extra PDO methods. Here is an example. |
|
You have a point regarding the necessity of keeping the current PDO methods for SQLite! Now, I honestly don't mind which solution is retained, as long as I'm just standing up by my comment above, that SQL injection should not be a reason not to add useful functionality in a library. Anyone not using prepared statements and blindly injecting user input into their SQL queries is asking for trouble anyway. When you can already fiddle with, or drop their database, I don't care if you can, also, execute abitrary extensions on their server. |
|
So, has there been any progress regarding this feature? |
|
@BenMorel i strongly disagree on a global INI option to enable loading extensions, potentially everywhere in every PDO::query call. Stating "sql injection is a thing of the past" is also quite dangerous, given that it is still in the top 10 of OWASP list, it is very much a thing of the present. PDOs API is weird and different drivers add different things to the class. This is not restricted to sqlite driver and I don't think taking a stand now on preventing further changes to this weird API makes sense. |
|
The PR needs a rebase onto 7.4 or master, since the ZTS threadsafe handling in sqlite extensions is not present anymore. |
There was a problem hiding this comment.
I think this should be okay in this form for 7.4. As has been pointed out, there are already multiple similar methods provided by PDO SQLite and the API closely matches what the sqlite3 extension does. I agree with @beberlei that having this contained API is better than a global ini setting, especially in light of the recent introduction of the defensive setting for sqlite3.
| @@ -66,6 +66,10 @@ if test "$PHP_PDO_SQLITE" != "no"; then | |||
| PHP_CHECK_LIBRARY(sqlite3,sqlite3_key,[ | |||
| AC_DEFINE(HAVE_SQLITE3_KEY,1, [have commercial sqlite3 with crypto support]) | |||
| ]) | |||
| PHP_CHECK_LIBRARY(sqlite3,sqlite3_load_extension, | |||
| [], | |||
| [AC_DEFINE(SQLITE_OMIT_LOAD_EXTENSION, 1, [have sqlite3 with extension support]) | |||
There was a problem hiding this comment.
This is a bit odd, we'd usually go for a positive define instead. HAVE_SQLITE3_LOAD_EXTENSION would be typical.
| @@ -4,6 +4,7 @@ ARG_WITH("pdo-sqlite", "for pdo_sqlite support", "no"); | |||
|
|
|||
| if (PHP_PDO_SQLITE != "no") { | |||
| if (SETUP_SQLITE3("pdo_sqlite", PHP_PDO_SQLITE, PHP_PDO_SQLITE_SHARED)) { | |||
| ADD_FLAG('CFLAGS_PDO_SQLITE', "/D SQLITE_THREADSAFE=" + (PHP_ZTS == "yes" ? "1" : "0") + " "); | |||
There was a problem hiding this comment.
Not sure I understand the purpose of this change. As we no longer bundle libsqlite3 nowadays, does this even have an effect?
That's a crazy state of things in 2019, probably due to a lot of legacy code, and poor developer training.
I guess you're right. Either way to implement it will be good for me anyway! 👍 |
|
Once again, what was the solution? Feature still seems to be non-existent, at least in PHP documentation. |
|
This PR is still unresolved. The problem is that adding driver specific methods to PDO via the currently existing mechanism (basicall |
|
Uh-oh. From one point, I do understand concern about "polluting the function space". From another, I kinda really need it (and some other people from SO too, I guess). Maybe they would agree on something like |
|
I found a workaround for this functionality not being present yet, but it involves a fair amount of spooky black magic and I definitely wouldn't recommend it for production. |
|
This appears to have gone stale, and there appears to be more recent work going on in this area, so closing now. |
|
@krakjoe This is still not solved as far as I can tell, though. Could you please point me to another issue / PR that would deal with this? |
|
I'm afraid there is no recent work going on in this area. This needs a general solution regarding driver specific functionality; otherwise such feature additions are blocked indefinitely. :( |
|
@BenMorel, please raise this as general issue on the internals ML – we really need a general solution (do it like it has done before; driver specific subclasses; helper classes; whatever). |
|
My apologies, at a glance, it looks like 5765 is related and more recent, but I see it's not really going anywhere either ... |
|
Oh, indeed, PR #5765 tries to adress this isseu in a general way. Driver objects might be the way to go to reduce BC issues. |
Hello. This is an attempt to fix https://bugs.php.net/bug.php?id=64810 . This allows PDO to load extensions just like the native Sqlite3 API can do. This means there is more feature parity between the two APIs.
A couple of tests are failing. Could I please have some help resolving it?