Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59738
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77985 invoked from network); 11 Apr 2012 17:28:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 17:28:57 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:56171] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C1/F6-36454-75FB58F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 13:28:55 -0400
Received: by qcmt36 with SMTP id t36so773222qcm.29
        for <internals@lists.php.net>; Wed, 11 Apr 2012 10:28:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Led/bV9VC8GMAgi815nfrK3Ud5k+mlu+E9nbBl2iuoQ=;
        b=SID3IHI1mr0Az6ALymuIf+A130uzuJLE3rDOtydUqyBAl5yFSCcyfcrvedko4Rm/IH
         DUBqmgInYyatsXd13iTV9kBObdq8nCPW56Vs+7xwJWtycedJcfydY6sACbJ16vbSzqab
         G/wFN7xxgsyc7U0Bi+agrWWkdi+V2QjIQMX33mUf7j4VWj2CIxLeyf2RK+WkXzut2IZw
         KYqWxxULzxrIxeRWQT2tgEBLLutK8l/yCW+rPSJXoRfQScI3M0AcLSdjB1H6dlajkTf+
         y8CdSLW7Dk6yG97hPWMAK6g4tEz87KXtBoRPyhSKfEUwdQn1TfY+sOKcfYpAbdK+kjfw
         vObw==
MIME-Version: 1.0
Received: by 10.224.115.211 with SMTP id j19mr20990989qaq.84.1334165332355;
 Wed, 11 Apr 2012 10:28:52 -0700 (PDT)
Received: by 10.229.42.4 with HTTP; Wed, 11 Apr 2012 10:28:52 -0700 (PDT)
In-Reply-To: <4F85AC06.50102@lsces.co.uk>
References: <CAPmfwEnMypV6DFRnRsnCvj+KQk1JG54TX3r1DNHQO3QQ0f+hjA@mail.gmail.com>
	<CAGa2bXZ6_rjZoYX1nbRx--EJS1rBouo+0bB3o3xjQT9W+VZy_w@mail.gmail.com>
	<4F8540E8.6050503@lsces.co.uk>
	<4F85A771.1070005@ralphschindler.com>
	<4F85AC06.50102@lsces.co.uk>
Date: Wed, 11 Apr 2012 13:28:52 -0400
Message-ID: <CAAyV7nHeB7Ch2MLxdpbCH06QnsmmQets+wj28BkwhfCF24WXFw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design
From: ircmaxell@gmail.com (Anthony Ferrara)

Lester,

Even with PDO and older versions of MySQL, you could inject into
prepared statements quite easily (assuming charset settings):

$var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';

$pdo = new PDO('mysql:...');
$pdo->query('SET NAMES GBK');
$stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
$stmt->bindParam(1, $var);
$stmt->execute();

Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
first, that will successfully inject into the query thanks to how PDO
emulates prepares.

A problem that true prepared statements (MySQLi and if PDO has emulate
prepares off) is immune to...

Anthony

On Wed, Apr 11, 2012 at 12:06 PM, Lester Caine <lester@lsces.co.uk> wrote:
> Ralph Schindler wrote:
>>
>> Hey Lester,
>>
>>
>>> That is almost archaic it's self ...
>>> It should be replaced with a pointer to using parameters ( no we do not
>>> need 'prepared statements', just parameters ). One of the first things I
>>> implement on any code that I'm porting. Does away with any agro over
>>> escaping strings and is totally save 'injection' wise.
>>
>>
>> While I generally agree, 'just parameters' does have it's limitations.
>> Sometimes
>> there are special character sequences that can be exploited to escape out
>> of a
>> quoted value in a SQL string.
>>
>> Offhand, this comes to mind about MySQL:
>> http://bugs.mysql.com/bug.php?id=8378
>
>
> Well if you must use a simple database ;)
>
> I've never used MySQL simply because it has yet to get to the same standard
> as Firebird ... But I'm talking about passing parameters direct to '?'
> entries in the SQL - something which if it CAN be broken then the database
> is also broken? The database handles the 'data' going into a single field at
> a time.
>
>
> --
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk//
> Firebird - http://www.firebirdsql.org/index.php
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>