Skip to content
This repository was archived by the owner on May 16, 2018. It is now read-only.

Commit da09186

Browse files
ezimuelweierophinney
ezimuel
authored and
weierophinney
committed
Patch for potential Sql injection in ORDER()
1 parent fa015ec commit da09186

2 files changed

Lines changed: 11 additions & 1 deletion

File tree

library/Zend/Db/Select.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -601,7 +601,7 @@ public function order($spec)
601601
$val = trim($matches[1]);
602602
$direction = $matches[2];
603603
}
604-
if (preg_match('/\(.*\)/', $val)) {
604+
if (preg_match('/^[\w]*\(.*\)$/', $val)) {
605605
$val = new Zend_Db_Expr($val);
606606
}
607607
$this->_parts[self::ORDER][] = array($val, $direction);

tests/Zend/Db/Select/TestCommon.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1757,4 +1757,14 @@ public function testJoinUsingUsesAliasOfTableBeingJoinedWhenAliasIsDefined()
17571757
$this->assertRegexp("/ON {$table2_alias}.{$colname}/s", $select->assemble());
17581758
}
17591759

1760+
public function testSqlInjectionWithOrder()
1761+
{
1762+
$select = $this->_db->select();
1763+
$select->from(array('p' => 'products'))->order('MD5(1);select');
1764+
$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC');
1765+
1766+
$select = $this->_db->select();
1767+
$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
1768+
$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC');
1769+
}
17601770
}

0 commit comments

Comments
 (0)