Bug #54674 [Csd->Asn]: mysqlnd valid_sjis_(head|tail) is using invalid operator and range.

[nihen at megabbs dot com]

Edit report at http://bugs.php.net/bug.php?id=54674&edit=1

 ID:                 54674
 User updated by:    nihen at megabbs dot com
 Reported by:        nihen at megabbs dot com
 Summary:            mysqlnd valid_sjis_(head|tail) is using invalid
                     operator and range.
-Status:             Closed
+Status:             Assigned
 Type:               Bug
 Package:            PDO related
 Operating System:   All
 PHP Version:        5.3.6
 Assigned To:        mysql
 Block user comment: N
 Private report:     N

 New Comment:

Thank you for "operator" fix.

but, it does not fix invalid "range".



> #define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <=
(c) && 

(c) <= 0x7C))



to



#define valid_sjis_tail(c)  ((0x40 <= (c) && (c) <= 0x7E) || (0x80 <=
(c) && (c) 

<= 0xFC))



is correct.

s/7C/FC/


Previous Comments:
------------------------------------------------------------------------
[2011-05-09 18:24:18] and...@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the report!

------------------------------------------------------------------------
[2011-05-09 18:20:37] and...@php.net

Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310856
Log: Fix for bug 54674..typo in the check of SJIS

------------------------------------------------------------------------
[2011-05-06 12:11:17] nihen at megabbs dot com

Original report by Hiroshi Tokumaru.

http://www.tokumaru.org/d/20110322.html#p01

http://www.tokumaru.org/d/20110329.html#p01

(lang:japanese)

------------------------------------------------------------------------
[2011-05-06 11:54:38] nihen at megabbs dot com

Description:
------------
impacts to:

1. mysqli->real_escape_string

2. use PDO at PDO::ATTR_EMULATE_PREPARES = true



"real_escape_string" must not escape multi-byte character.

but escape it.



This bug is a SQL-injection may cause.

Test script:
---------------
<?php

$japanese_so = pack('H4', '835c');



$mysql = mysqli_connect('localhost', 'sandbox', 'sandbox');

$mysql->set_charset('sjis');

echo $mysql->real_escape_string($japanese_so) === $japanese_so ? 'ok' :
'ng';

echo "\n";



Expected result:
----------------
echo "ok\n"

Actual result:
--------------
echo "ng\n"


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=54674&edit=1