Re: [off] PHP: a fractal of bad design

From:	Anthony Ferrara	Date:	Wed, 11 Apr 2012 17:28:52 +0000
Subject:	Re: [off] PHP: a fractal of bad design
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Lester,

Even with PDO and older versions of MySQL, you could inject into
prepared statements quite easily (assuming charset settings):

$var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';

$pdo = new PDO('mysql:...');
$pdo->query('SET NAMES GBK');
$stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
$stmt->bindParam(1, $var);
$stmt->execute();

Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
first, that will successfully inject into the query thanks to how PDO
emulates prepares.

A problem that true prepared statements (MySQLi and if PDO has emulate
prepares off) is immune to...

Anthony

On Wed, Apr 11, 2012 at 12:06 PM, Lester Caine <[email protected]> wrote:
> Ralph Schindler wrote:
>>
>> Hey Lester,
>>
>>
>>> That is almost archaic it's self ...
>>> It should be replaced with a pointer to using parameters ( no we do not
>>> need 'prepared statements', just parameters ). One of the first things I
>>> implement on any code that I'm porting. Does away with any agro over
>>> escaping strings and is totally save 'injection' wise.
>>
>>
>> While I generally agree, 'just parameters' does have it's limitations.
>> Sometimes
>> there are special character sequences that can be exploited to escape out
>> of a
>> quoted value in a SQL string.
>>
>> Offhand, this comes to mind about MySQL:
>> http://bugs.mysql.com/bug.php?id=8378
>
>
> Well if you must use a simple database ;)
>
> I've never used MySQL simply because it has yet to get to the same standard
> as Firebird ... But I'm talking about passing parameters direct to '?'
> entries in the SQL - something which if it CAN be broken then the database
> is also broken? The database handles the 'data' going into a single field at
> a time.
>
>
> --
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk//
> Firebird - http://www.firebirdsql.org/index.php
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>


   

Thread (42 messages)

• Adir KuhnTue, 10 Apr 2012 16:20:41 +0000
  • Pierre JoyeTue, 10 Apr 2012 16:31:57 +0000
    • Tom BoutellTue, 10 Apr 2012 18:18:01 +0000
      • Stas MalyshevTue, 10 Apr 2012 18:27:22 +0000
        • Richard LynchSat, 05 May 2012 16:17:34 +0000
          • Tjerk Anne MeestersMon, 07 May 2012 03:32:30 +0000
            • Arvids GodjuksMon, 07 May 2012 07:28:46 +0000
              • Kris CraigMon, 07 May 2012 08:31:00 +0000
                • Gustavo LopesMon, 07 May 2012 08:46:29 +0000
                  • Kris CraigMon, 07 May 2012 09:22:50 +0000
                    • Ferenc KovacsMon, 07 May 2012 09:31:55 +0000
                • Ferenc KovacsMon, 07 May 2012 08:56:40 +0000
                  • Tjerk Anne MeestersMon, 07 May 2012 09:33:08 +0000
                • Arvids GodjuksMon, 07 May 2012 10:41:27 +0000
              • Hartmut HolzgraefeMon, 07 May 2012 12:23:54 +0000
            • Hartmut HolzgraefeMon, 07 May 2012 12:38:01 +0000
              • Tjerk Anne MeestersMon, 07 May 2012 18:07:49 +0000
                • Raymond IrvingTue, 08 May 2012 01:25:57 +0000
                  • Matt WilsonTue, 08 May 2012 02:05:55 +0000
                    • Sanford WhitemanTue, 08 May 2012 05:16:10 +0000
                  • Joe GillottiWed, 09 May 2012 08:09:19 +0000
      • Pierre JoyeTue, 10 Apr 2012 19:50:50 +0000
  • Gustavo LopesTue, 10 Apr 2012 16:31:56 +0000
  • Stas MalyshevTue, 10 Apr 2012 16:38:08 +0000
    • Kris CraigTue, 10 Apr 2012 17:59:50 +0000
      • Ralf LangTue, 10 Apr 2012 18:12:39 +0000
        • Kris CraigTue, 10 Apr 2012 18:28:01 +0000
          • Lester CaineTue, 10 Apr 2012 18:49:57 +0000
          • Ralf LangWed, 11 Apr 2012 21:09:51 +0000
  • Ronald ChmaraTue, 10 Apr 2012 22:39:20 +0000
  • Yasuo OhgakiWed, 11 Apr 2012 07:29:53 +0000
    • CrocodileWed, 11 Apr 2012 08:14:15 +0000
    • Lester CaineWed, 11 Apr 2012 08:29:28 +0000
      • Ralph SchindlerWed, 11 Apr 2012 15:46:57 +0000
        • Lester CaineWed, 11 Apr 2012 16:06:30 +0000
          • Anthony FerraraWed, 11 Apr 2012 17:28:52 +0000
            • Lester CaineWed, 11 Apr 2012 18:44:52 +0000
              • Johannes SchlüterWed, 11 Apr 2012 21:05:18 +0000
  • Luke ScottWed, 11 Apr 2012 15:19:21 +0000
    • Hartmut HolzgraefeWed, 18 Apr 2012 08:44:17 +0000
  • Hartmut HolzgraefeWed, 18 Apr 2012 08:34:40 +0000
    • Philip OlsonWed, 18 Apr 2012 08:53:01 +0000