Escaping issue in TeraWurflDatabase_MySQL5.php
Posted: Mon Nov 26, 2012 2:25 am
Hello there,
I occasionally see that kind of error in my Apache logs:
$res = $this->dbcon->query("SELECT * FROM `$tablename` WHERE `user_agent`=".$this->SQLPrep($userAgent));
Which brought me to function SQLPrep() and how it adds proper quotes after testing if argument is not a numeric using TeraWurflDatabase::isNumericSafe()
Suggested regex (barely tested): '/^-?[\d]+(\.[\d]+)?$/'
Regards,
I occasionally see that kind of error in my Apache logs:
Here is the incriminated line:PHP Fatal error: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.820' at line 1' in [...]/DatabaseConnectors/TeraWurflDatabase_MySQL5.php:412
Stack trace:
#0 [...]/TeraWurfl.php(210): TeraWurflDatabase_MySQL5->getDeviceFromCache('6.47.820')
#1 [...]/TeraWurfl.php(181): TeraWurfl->getDeviceCapabilitiesFromRequest(Array)
#2...
$res = $this->dbcon->query("SELECT * FROM `$tablename` WHERE `user_agent`=".$this->SQLPrep($userAgent));
Which brought me to function SQLPrep() and how it adds proper quotes after testing if argument is not a numeric using TeraWurflDatabase::isNumericSafe()
It's quite obvious here, current regex will consider a string with several dots '.' as a numeric.public static function isNumericSafe($value) {
return (bool)preg_match('/^-?[\d]+([\.\d]+)?$/', $value);
}
Suggested regex (barely tested): '/^-?[\d]+(\.[\d]+)?$/'
Regards,