ID: 16895 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Assigned Bug Type: PostgreSQL related Operating System: GNU/Linux PHP Version: 4.1.2 -Assigned To: +Assigned To: yohgaki
Previous Comments: ------------------------------------------------------------------------ [2002-04-29 03:45:49] [EMAIL PROTECTED] Cf http://lists.debian.org/debian-security/2002/debian-security-200204/msg00328.html A bad char encoding between PHP and PostgreSQL (don't know which is guilty here), followed by a bug in SQL queries in PostgreSQL can lead to execute any SQL request. Sample code here: %<---------------------------------------- $conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT . " user=" . BASE_USER); $var="é\'; BAD REQUEST"; pg_exec($conn, "SET client_encoding = 'LATIN1'"); $request = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'"; %<---------------------------------------- See Debian-security archive for more details. Already tested on a Debian Woody with PHP-cgi 4.1.2 (+php4-pgsql+php4-pear). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=16895&edit=1
