Issue Type: Bug Created: 2008-01-08T12:23:00.000+0000 Last Updated: 2008-10-10T14:41:47.000+0000 Status: Resolved Fix version(s): - 1.6.2 (13/Oct/08)
Reporter: Thorsten Kunz (sunfire) Assignee: Mickael Perraud (mikaelkael) Tags: - Zend_Db
Related issues: Attachments: - oracle_oci.patch
The _quote function in the Zend_Db_Adapter_Pdo_Oci quotes single-quotes with addcslashes. This is wrong since oracle requires a single-quote to be escaped with another single-quote and not a backslash. Please use the _quote() function from Zend_Db_Adapter_Oracle for quoting since there is it correct.
Posted by Christian Münch (cmuench) on 2008-02-07T08:04:32.000+0000
We tested the resolution in the bug description. This fixes the broken oci adapter.
Posted by Thorsten Kunz (sunfire) on 2008-03-18T09:33:40.000+0000
I wonder why this is not fixed yet? This allows for SQL injection if people use the PDO_OCI adapter and rely on _quote() to work as advertised! The fix is so easy and already accepted in the regular Oracle adapter so please can someone commit the fix?
Posted by rodolfo (rodolfo) on 2008-07-07T11:44:22.000+0000
I have problems like this using Zend_Auth_Adapter_DbTable with Oracle Express and I created a patch to this in Zend_Db_Adapter_Pdo_Oci.
Posted by Mickael Perraud (mikaelkael) on 2008-10-04T06:51:24.000+0000
Fixed in SVN11672 (applies same quoting as Oracle adapter). Fix test failure testSelectColumnWithColonQuotedParameter.
Have you found an issue?
See the Overview section for more details.