Bug #23557
closed
quoteStrForLike does not properly escape strings in sql_mode NO_BACKSLASH_ESCAPES
Added by Helmut Hummel about 14 years ago.
Updated about 6 years ago.
Description
In this mode MySQL expects the quoting character to be explicitly set:
e.g.
SELECT 'David_' LIKE 'David\_' ESCAPE '\';
Solution:
set sql_mode='' during DBinit
Note:
It has to be checked if this is a proper solution and if this needs a bulletin.
SET sql_mode='NO_BACKSLASH_ESCAPES';
(issue imported from #M15737)
Files
PoC:
$variable = "INJECT' UNION SELECT username,password FROM be_users; #";
$query = 'SELECT uid,pid FROM tt_content WHERE header LIKE ' . fullQuoteString($variable);
results in
SET sql_mode='NO_BACKSLASH_ESCAPES';
SELECT uid,pid FROM tt_content WHERE header LIKE 'INJECT\' UNION SELECT username,password FROM be_users; #';
Setting the ESCAPE statement at the end of the query does not help since in the PoC given it's not evaluated since a comment started already:
SELECT uid,pid FROM tt_content WHERE header LIKE 'INJECT\' UNION SELECT username,password FROM be_users; #' ESCAPE '\';
Since the SQL mode can contain other settings that are separated by comma, just unsetting the variable with "SET sql-mode='';" might introduce misbehaviours.
Thus, the NO_BACKSLASH_ESCAPES option shall be removed from the current session settings delivered by "SELECT @@SESSION.sql_mode;"
You may use the setDBInit field in localconf.php for whatever you want with MySQL. This is not processed by DBAL for other DBMS.
I attached patches that add a new methode setSqlMode() to t3lib_db which will be called after the setDBInit execution and will fix the NO_BACKSLASH_ESCAPES mode...
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by