ZF-2396: Zend_Db_Adapter_Pdo_Oci wrong quoting for single-quotes

Issue Type: Bug Created: 2008-01-08T12:23:00.000+0000 Last Updated: 2008-10-10T14:41:47.000+0000 Status: Resolved Fix version(s): - 1.6.2 (13/Oct/08)

Reporter: Thorsten Kunz (sunfire) Assignee: Mickael Perraud (mikaelkael) Tags: - Zend_Db

Related issues: Attachments: - oracle_oci.patch


The _quote function in the Zend_Db_Adapter_Pdo_Oci quotes single-quotes with addcslashes. This is wrong since oracle requires a single-quote to be escaped with another single-quote and not a backslash. Please use the _quote() function from Zend_Db_Adapter_Oracle for quoting since there is it correct.



Posted by Christian M√ľnch (cmuench) on 2008-02-07T08:04:32.000+0000

We tested the resolution in the bug description. This fixes the broken oci adapter.

Posted by Thorsten Kunz (sunfire) on 2008-03-18T09:33:40.000+0000

I wonder why this is not fixed yet? This allows for SQL injection if people use the PDO_OCI adapter and rely on _quote() to work as advertised! The fix is so easy and already accepted in the regular Oracle adapter so please can someone commit the fix?

Posted by rodolfo (rodolfo) on 2008-07-07T11:44:22.000+0000

I have problems like this using Zend_Auth_Adapter_DbTable with Oracle Express and I created a patch to this in Zend_Db_Adapter_Pdo_Oci.

Posted by Mickael Perraud (mikaelkael) on 2008-10-04T06:51:24.000+0000

Fixed in SVN11672 (applies same quoting as Oracle adapter). Fix test failure testSelectColumnWithColonQuotedParameter.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.