Skip to content
This repository was archived by the owner on Oct 2, 2019. It is now read-only.

Commit bf3f406

Browse files
ezimuelweierophinney
ezimuel
authored and
weierophinney
committed
Fixed potential SQL injections in order() and group()
1 parent d2560a5 commit bf3f406

File tree

2 files changed

+13
-3
lines changed

2 files changed

+13
-3
lines changed

library/Zend/Db/Select.php

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,9 @@ class Zend_Db_Select
8181
const SQL_ASC = 'ASC';
8282
const SQL_DESC = 'DESC';
8383

84-
const REGEX_COLUMN_EXPR = '/^([\w]*\s*\(([^\(\)]|(?1))*\))$/';
84+
const REGEX_COLUMN_EXPR = '/^([\w]*\s*\(([^\(\)]|(?1))*\))$/';
85+
const REGEX_COLUMN_EXPR_ORDER = '/^([\w]+\s*\(([^\(\)]|(?1))*\))$/';
86+
const REGEX_COLUMN_EXPR_GROUP = '/^([\w]+\s*\(([^\(\)]|(?1))*\))$/';
8587

8688
/**
8789
* Bind variables for query
@@ -511,7 +513,7 @@ public function group($spec)
511513
}
512514

513515
foreach ($spec as $val) {
514-
if (preg_match(self::REGEX_COLUMN_EXPR, (string) $val)) {
516+
if (preg_match(self::REGEX_COLUMN_EXPR_GROUP, (string) $val)) {
515517
$val = new Zend_Db_Expr($val);
516518
}
517519
$this->_parts[self::GROUP][] = $val;
@@ -603,7 +605,7 @@ public function order($spec)
603605
$val = trim($matches[1]);
604606
$direction = $matches[2];
605607
}
606-
if (preg_match(self::REGEX_COLUMN_EXPR, (string) $val)) {
608+
if (preg_match(self::REGEX_COLUMN_EXPR_ORDER, (string) $val)) {
607609
$val = new Zend_Db_Expr($val);
608610
}
609611
$this->_parts[self::ORDER][] = array($val, $direction);

tests/Zend/Db/Select/StaticTest.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -834,6 +834,10 @@ public function testSqlInjectionWithOrder()
834834
$select = $this->_db->select();
835835
$select->from(array('p' => 'products'))->order('MD5(1);drop table products; -- )');
836836
$this->assertEquals('SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products; -- )" ASC', $select->assemble());
837+
838+
$select = $this->_db->select();
839+
$select->from('p')->order("MD5(\";(\");DELETE FROM p2; SELECT 1 #)");
840+
$this->assertEquals('SELECT "p".* FROM "p" ORDER BY "MD5("";("");DELETE FROM p2; SELECT 1 #)" ASC', $select->assemble());
837841
}
838842

839843
public function testSqlInjectionWithGroup()
@@ -845,6 +849,10 @@ public function testSqlInjectionWithGroup()
845849
$select = $this->_db->select();
846850
$select->from(array('p' => 'products'))->group('MD5(1); drop table products; -- )');
847851
$this->assertEquals('SELECT "p".* FROM "products" AS "p" GROUP BY "MD5(1); drop table products; -- )"', $select->assemble());
852+
853+
$select = $this->_db->select();
854+
$select->from('p')->group("MD5(\";(\");DELETE FROM p2; SELECT 1 #)");
855+
$this->assertEquals('SELECT "p".* FROM "p" GROUP BY "MD5("";("");DELETE FROM p2; SELECT 1 #)"', $select->assemble());
848856
}
849857

850858
public function testSqlInjectionInColumn()

0 commit comments

Comments
 (0)