Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23628 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23808 invoked by uid 1010); 24 May 2006 13:40:37 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 23793 invoked from network); 24 May 2006 13:40:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 May 2006 13:40:37 -0000 X-PHP-List-Original-Sender: dante@vocalspace.com X-Host-Fingerprint: 69.56.193.72 fox02.stravio.com Linux 2.5 (sometimes 2.4) (4) Received: from ([69.56.193.72:58738] helo=fox02.stravio.com) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id FD/47-19568-45264744 for ; Wed, 24 May 2006 09:40:36 -0400 Received: from [127.0.0.1] (c-67-163-105-145.hsd1.tx.comcast.net [67.163.105.145]) by fox02.stravio.com (Postfix) with ESMTP id 4FE4626C2F1 for ; Wed, 24 May 2006 08:40:33 -0500 (CDT) Message-ID: <4474624D.90304@vocalspace.com> Date: Wed, 24 May 2006 08:40:29 -0500 User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: PHPdev Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Is PostgreSQL 8.1.3--->8.1.4 necessary for 'properly' escaped coders? From: dante@vocalspace.com ("D. Dante Lorenso") All, I use PostgreSQL 8.1.3 extensively. Currently all my PHP 5.1.4 code is using the pgsql extension to connect. My newer development code is connecting through the newer PDO/pgsql extension. Is the PostgreSQL 8.1.4 SQL injection bug fix necessary if I've been well behaved by passing *all* sql values through either of these escaping functions?: * pgsql: pg_escape_string(...) * PDO: bindValue(..., ..., ...) A question similar was recently posted over in general, but I didn't see any response and a reply suggested we ask internals. See the recent Slashdot post: ====================================================================== Developers: PostgreSQL 8.1.4 Released to Plug Injection Hole ====================================================================== Posted by [1]ScuttleMonkey on Tuesday May 23, @09:42PM from the good-little-dutch-boy dept. alurkar writes to tell us that PostgreSQL released version 8.1.4 today in order to combat a security flaw allowing a [2]SQL injection attack. From the article: "The vulnerability affects PostgreSQL servers exposed to untrusted input, such as input coming from Web forms, in conjunction with multi-byte encodings like (Shift-JIS (SJIS), 8-bit Unicode Transformation Format (UTF-8), 16-bit Unicode Transformation Format (UTF-16), and BIG5. In particular, Berkus says that applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. 'Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure.'" [1] http://slashdot.org/~ScuttleMonkey/ [2] http://www.newsforge.com/article.pl?sid=06/05/23/2141246 [3] http://developers.slashdot.org/developers/06/05/23/2228225.shtml [4] http://developers.slashdot.org/developers/06/05/23/2228225.shtml [5] http://developers.slashdot.org/article.pl?sid=06/05/23/2228225&threshold=-1 [6] http://developers.slashdot.org/ Dante