Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78830 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 91661 invoked from network); 7 Nov 2014 00:52:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Nov 2014 00:52:11 -0000 Authentication-Results: pb1.pair.com header.from=peter.wolanin@acquia.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=peter.wolanin@acquia.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain acquia.com designates 64.18.2.169 as permitted sender) X-PHP-List-Original-Sender: peter.wolanin@acquia.com X-Host-Fingerprint: 64.18.2.169 exprod7og108.obsmtp.com Linux 2.5 (sometimes 2.4) (4) Received: from [64.18.2.169] ([64.18.2.169:45669] helo=mail-ie0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CB/50-24315-9B71C545 for ; Thu, 06 Nov 2014 19:52:10 -0500 Received: from mail-ie0-f170.google.com ([209.85.223.170]) (using TLSv1) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP ID DSNKVFwXtrPommkvT4ilvwqee+rcH9srmisB@postini.com; Thu, 06 Nov 2014 16:52:10 PST Received: by mail-ie0-f170.google.com with SMTP id tp5so4229068ieb.29 for ; Thu, 06 Nov 2014 16:52:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=GEVR2itZXGC7DhZmBqyxlC/nKxe8PwDbshNlnhGyZxM=; b=H3E64rXXWTTkfOFAOYFO8FA5Q7GSKII/NzxzDOkIpzZvIJkfBJSJNtD3XB171pJev4 AFhTmhPc+Gw9kViFcTO9D3C3+awynnbbK1LEaNnc3FgYaW4fOP77jTqt65c2nt+dUBKs YLkPBq9Qc9IcftRWK4Xp2dYs+DYa2s6iuYHP6e7JRLROXeGX++levtYRjHZa7MAU5+VM aE5T1On72k5ROdKjWLTSgxc1FXkipYxmgy/cn9f+c/jw4oDXHY6bMG6cFvzj8Dca1gZL Clfxgp5I7qpfuQyxG0HrBkJocKZumzocSwNw0QzT1dLeV5xRUVA2NbCObvLh6nXTqqj7 916Q== X-Gm-Message-State: ALoCoQmUoYIIUHxSYWkD26R2bKO2WLez8dO66UQmGPfjl3iGpQO7mELbeQlzAgVO7PPIza1d7twR5S8Db4mFVBvGiepFcp6qZr4hkSG3ESgL0OeqnIFxEoWtJwR4d57KfiJK77H1le/aXvetQ+vdGolUJIw+IXc58Q== X-Received: by 10.50.164.194 with SMTP id ys2mr15551igb.43.1415321525737; Thu, 06 Nov 2014 16:52:05 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.50.164.194 with SMTP id ys2mr15542igb.43.1415321525585; Thu, 06 Nov 2014 16:52:05 -0800 (PST) Received: by 10.42.67.16 with HTTP; Thu, 6 Nov 2014 16:52:05 -0800 (PST) Date: Thu, 6 Nov 2014 19:52:05 -0500 Message-ID: To: internals@lists.php.net Content-Type: text/plain; charset=UTF-8 Subject: PDO mysql - add feature to enforce single statements? From: peter.wolanin@acquia.com (Peter Wolanin) Problem: With PDO the mysql driver emulated allows multiple queries, where non-emulated does not. This makes SQL injections with PDO mysql potentially much more damaging. Suggested solution: add a PDO attribute that could be set on a connection or a driver option for PDO::prepare to enforce the limit of a single query being prepared or run. Happy to open a bug report/feature request, but looking for feedback first. More background: The Drupal project recently had a serious SQL injection vulnerability uncovered: https://www.drupal.org/SA-CORE-2014-005 A technical discussion of it: http://blog.ircmaxell.com/2014/10/a-lesson-in-security.html To be brief, from Drupal 6.x to Drupal 7.x, we converted from wrappers on mysqli_query and pg_query to a database layer that extends from PDO. The most common setup is using PDO mysql and emulated prepared statements. This turns out to have made the potential damage to Drupal 7 much greater when an SQL injection is discovered since the emulated prepare allows multiple SQL statements, hence a single SELECT can be modified to a SELECT followed by one or more INSERT or UPDATE statements. mysqli only supports a single statement. Since this situation probably affects many web applications using PDO, I'd like to see if a new PDO attribute could be added which would e.g. cause the driver to throw an exception if multiple statements were sent at once. Ideally, this could be backported to current releases. -Peter Wolanin