Home Original page

pg_select() and similar are vulnerable to SQL injection via identifier

Bug #62978 pg_select() and similar are vulnerable to SQL injection via identifier
Submitted: 2012-08-30 22:58 UTC Modified: 2015-04-08 09:36 UTC
From: slokunshialgo at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: PostgreSQL related
PHP Version: 5.3 - master OS: *
Private report: No CVE-ID: None

 [2012-08-30 22:58 UTC] slokunshialgo at gmail dot com

Description:
------------
---
From manual page: http://www.php.net/function.pg-select#refsect1-function.pg-select-examples
---
The one example given passes $_POST directly to pg_select as a list of parameters to select on. There are 2 major issues with this:

1) It doesn't show the actual parameters being passed, making the example difficult to understand
2) Using end-user-supplied values like this is a perfect vector for SQL injection, and as such as a huge security risk.

While #1 is a concern, #2 is a larger one, since newer programmers seeing it will think that's good practice, and start putting such security issues into their own code.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2013-06-29 20:36 UTC] yohgaki@php.net

-Status: Open +Status: Analyzed -Type: Documentation Problem +Type: Security -Package: Documentation problem +Package: PostgreSQL related -Assigned To: +Assigned To: yohgaki -Private report: No +Private report: Yes

 [2013-06-29 20:36 UTC] yohgaki@php.net

This is the way it is supposed to use. pg_select() and similar functions should 
automatically escape string vars, and they do. 

pg_select($db, 't1',['str'=>"It's a string"]);
produces
LOG:  文: SELECT * FROM t1 WHERE str='It''s a string';
Note that string is properly escaped.

However, they don't escape identifier. This should be fixed.

 [2013-06-29 20:36 UTC] yohgaki@php.net

This is the way it is supposed to use. pg_select() and similar functions should 
automatically escape string vars, and they do. 

pg_select($db, 't1',['str'=>"It's a string"]);
produces
LOG:  文: SELECT * FROM t1 WHERE str='It''s a string';
Note that string is properly escaped.

However, they don't escape identifier. This should be fixed.

 [2013-06-29 20:39 UTC] yohgaki@php.net

-Status: Analyzed +Status: Assigned -Operating System: +Operating System: * -PHP Version: 5.4.6 +PHP Version: 5.3 - master

 [2013-06-29 20:39 UTC] yohgaki@php.net

I think this problem existed from the beginning. So any version which have 
pg_select()/etc are affected.

 [2013-06-29 20:49 UTC] yohgaki@php.net

-Summary: pg_select() doc example has severe security issues +Summary: pg_select() and similar are vulnerable to SQL injection via identifier

 [2013-08-05 10:02 UTC] yohgaki@php.net

This fix is treated as security enhancement, so 5.3 branch won't be fixed.