Enhance OCI quoting by using the Zend Framework OCI code for quoting

03526de9 · Benjamin Eberlei · cc7987d9 · 03526de9 · 03526de9
Commit 03526de9 authored Sep 25, 2011 by Benjamin Eberlei
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

OCI8Connection.php lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php +6 -2

DataAccessTest.php tests/Doctrine/Tests/DBAL/Functional/DataAccessTest.php +8 -0

No files found.
--- a/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
+++ b/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
@@ -81,9 +81,13 @@ class OCI8Connection implements \Doctrine\DBAL\Driver\Connection
     * @param int $type PDO::PARAM* 
     * @return mixed
     */
-    public function quote($input, $type=\PDO::PARAM_STR)
+    public function quote($value, $type=\PDO::PARAM_STR)
    {
-        return is_numeric($input) ? $input : "'" . str_replace("'", "''", $input) . "'";
+        if (is_int($value) || is_float($value)) {
+            return $value;
+        }
+        $value = str_replace("'", "''", $value);
+        return "'" . addcslashes($value, "\000\n\r\\\032") . "'";
    }
    /**

--- a/tests/Doctrine/Tests/DBAL/Functional/DataAccessTest.php
+++ b/tests/Doctrine/Tests/DBAL/Functional/DataAccessTest.php
@@ -269,4 +269,12 @@ class DataAccessTest extends \Doctrine\Tests\DbalFunctionalTestCase
        $this->assertEquals('2010-03-01', date('Y-m-d', strtotime($row['add_month'])), "Adding month should end up on 2010-03-01");
        $this->assertEquals('2009-11-01', date('Y-m-d', strtotime($row['sub_month'])), "Adding month should end up on 2009-11-01");
    }
+    public function testQuoteSQLInjection()
+    {
+        $sql = "SELECT * FROM fetch_table WHERE test_string = " . $this->_conn->quote("bar' OR '1'='1");
+        $rows = $this->_conn->fetchAll($sql);
+        $this->assertEquals(0, count($rows), "no result should be returned, otherwise SQL injection is possible");
+    }
 }
\ No newline at end of file