Bug #23557
closed
quoteStrForLike does not properly escape strings in sql_mode NO_BACKSLASH_ESCAPES
0%
Description
In this mode MySQL expects the quoting character to be explicitly set:
e.g.
SELECT 'David_' LIKE 'David\_' ESCAPE '\';
Solution:
set sql_mode='' during DBinit
Note:
It has to be checked if this is a proper solution and if this needs a bulletin.
SET sql_mode='NO_BACKSLASH_ESCAPES';
(issue imported from #M15737)
Files
Updated by Oliver Hader over 13 years ago
PoC:
$variable = "INJECT' UNION SELECT username,password FROM be_users; #";
$query = 'SELECT uid,pid FROM tt_content WHERE header LIKE ' . fullQuoteString($variable);
results in
SET sql_mode='NO_BACKSLASH_ESCAPES';
SELECT uid,pid FROM tt_content WHERE header LIKE 'INJECT\' UNION SELECT username,password FROM be_users; #';
Updated by Oliver Hader over 13 years ago
Setting the ESCAPE statement at the end of the query does not help since in the PoC given it's not evaluated since a comment started already:
SELECT uid,pid FROM tt_content WHERE header LIKE 'INJECT\' UNION SELECT username,password FROM be_users; #' ESCAPE '\';
Updated by Oliver Hader over 13 years ago
Since the SQL mode can contain other settings that are separated by comma, just unsetting the variable with "SET sql-mode='';" might introduce misbehaviours.
Thus, the NO_BACKSLASH_ESCAPES option shall be removed from the current session settings delivered by "SELECT @@SESSION.sql_mode;"
Updated by Xavier Perseguers over 13 years ago
You may use the setDBInit field in localconf.php for whatever you want with MySQL. This is not processed by DBAL for other DBMS.
Updated by Oliver Hader over 13 years ago
I attached patches that add a new methode setSqlMode() to t3lib_db which will be called after the setDBInit execution and will fix the NO_BACKSLASH_ESCAPES mode...
Updated by