ADOdb PDO driver: incorrect quoting may allow SQL injection

[Damien Regad <dregad () mantisbt org>]

Greetings

jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
improperly quoting strings resulting in a potential SQL injection attack
vector.

This affects only PDO-based drivers, and only in the case where the
query is built by inlining the quoted string, e.g.

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
$rs = $db->getAll($strSQL); // dumps the whole table

Note that it is not recommended to write SQL as per the above example,
the code should be rewritten to use query parameters, like

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = ?"
$rs = $db->getAll($strSQL, array($strHack));

Please let me know if a CVE is needed for this.

Patch for the issue is available [2], and will be included in upcoming
ADOdb v5.20.7 release.

Best regards
Damien Regad
ADOdb maintainer


[1] https://github.com/ADOdb/ADOdb/issues/226
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9