Req #47802 [Com]: PDO_MYSQL doesn't use the charset parameter

Mon, 18 Apr 2011 13:34:15 -0700 

Edit report at http://bugs.php.net/bug.php?id=47802&edit=1

 ID:                 47802
 Comment by:         ircmaxell at gmail dot com
 Reported by:        disbursement at dublin dot com
 Summary:            PDO_MYSQL doesn't use the charset parameter
 Status:             Closed
 Type:               Feature/Change Request
 Package:            MySQL related
 Operating System:   all
 PHP Version:        5.2.9
 Assigned To:        kalle
 Block user comment: N
 Private report:     N

 New Comment:

Re-opening this as it has security implications for 5.2.x.  It should be


backported and re-released as a security fix for 5.2.x.



As it stands now, PDO::quote() does not protect against security
vulnerabilities 

without the ability to set the character set in the C api.  5.3.6 closes
this 

hole when supplied with the optional charset parameter (by appropriately
setting 

the character set).  However this will need to be expressed in the
documentation 

(I will file another issue on this topic).



Proof Of Concept Code:



$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK';

$pdo = new PDO($dsn, $user, $pass);

$pdo->exec('SET NAMES GBK');

$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';

$sql = "SELECT TABLE_NAME 

            FROM INFORMATION_SCHEMA.TABLES 

            WHERE TABLE_NAME LIKE ".$pdo->quote($string).";";

$stmt = $pdo->query($sql);

var_dump($stmt->rowCount());



Expected: int(0)

Actual: the number of tables on the server


Previous Comments:
------------------------------------------------------------------------
[2011-01-17 11:46:00] ka...@php.net

Will appear in PHP 5.3.6 :)

------------------------------------------------------------------------
[2011-01-17 10:54:23] ka...@php.net

Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=307529
Log: MFT: Implemented FR #47802 (Support for setting character sets in
DSN strings)

------------------------------------------------------------------------
[2011-01-07 18:18:31] ka...@php.net

Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=307228
Log: Added test case for #47802 and fixed macro name after the move to
mysql_options()

------------------------------------------------------------------------
[2011-01-07 15:40:32] ka...@php.net

Implemented in trunk for now

------------------------------------------------------------------------
[2011-01-07 15:39:58] ka...@php.net

Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=307224
Log: Implemented FR #47802, support for character sets in DSN strings
for PDO_MYSQL

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=47802


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=47802&edit=1

Reply via email to