Problem/Motivation

The code protecting against multiple statements is part of Connection::query(), but ::prepareStatement() should be protected too.

Proposed resolution

Move the protection code to Connection::prepareStatement().

Remaining tasks

User interface changes

none

API changes

none

Data model changes

none

Release notes snippet

The code protecting against multiple statements that was part of Connection::query(), is moved to a protected method ::preprocessStatement() so that code that calls in sequence ::prepareStatement() and StatementInterface::execute() can benefit from its protection too. See the change record for more details.

CommentFileSizeAuthor
#7 3201266-7.patch7.26 KBmondrake
#7 interdiff_6-7.txt6.44 KBmondrake
#6 3201266-6.patch6.27 KBmondrake
#6 interdiff_3-6.txt2.07 KBmondrake
#3 interdiff_2-3.txt1.19 KBmondrake
#3 3201266-3.patch4.2 KBmondrake
#2 3201266-2.patch3.01 KBmondrake

Comments

mondrake created an issue. See original summary.

mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Active » Needs review
StatusFileSize
new 3201266-2.patch3.01 KB
mondrake’s picture

mondrake
Location 🇮🇹
commented
StatusFileSize
new 3201266-3.patch4.2 KB
new interdiff_2-3.txt1.19 KB

With a test.

daffie’s picture

daffie commented
Status: Needs review » Reviewed & tested by the community

The code changes look good to me.
We are moving the code for protection against SQL injections to the method Connection::preparestatement() from the method Connection::query(). In the later method is after the moved code block is the method Connection::preparestatement() called. The moved code block is executed as the first code. Therefore the code order execution has not changed. Only the moved code is now also executed in the method Connection::preparestatement().
There is testing added for the code added to the method Connection::preparestatement().
For me it is RTBC.

mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Reviewed & tested by the community » Needs work

Thanks. Unfortunately it looks like the Sqlite driver needs some changes too.

mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Needs work » Needs review
StatusFileSize
new interdiff_3-6.txt2.07 KB
new 3201266-6.patch6.27 KB

Fixes for Sqlite. This adds a bit of code duplication, dunno if it's worth adding another method to the base Connection class to preprocess the SQL statement across different drivers.

mondrake’s picture

mondrake
Location 🇮🇹
commented
StatusFileSize
new interdiff_6-7.txt6.44 KB
new 3201266-7.patch7.26 KB

Went ahead and did #6, adding a protected Connection::preprocessStatement() method. This will be used in contrib too IMHO.

Status: Needs review » Needs work

The last submitted patch, 7: 3201266-7.patch, failed testing. View results

mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Needs work » Needs review
daffie’s picture

daffie commented
Status: Needs review » Reviewed & tested by the community

All the code changes since my last RTBC look good to me.
The fix for SQLite look great.
Back to RTBC for me.

catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs change record, +Needs release note, +Needs release manager review

Given we needed changes in the sqlite driver, I think we should add a release note and change record in case similar changes are needed in contrib drivers.

It's also arguably an API change although only for database drivers so still might be OK in a minor.

mondrake’s picture

mondrake
Location 🇮🇹
commented
Issue summary: View changes
Status: Needs work » Reviewed & tested by the community
Issue tags: -Needs change record, -Needs release note

Added draft CR and release note snippet.

catch’s picture

catch
he/him
Primary language English
commented
Issue summary: View changes

  • catch committed 2c84141 on 9.2.x 
    Issue #3201266 by mondrake, daffie: Protection against multiple...
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Needs release manager review

OK I think the hardening here outweighs the potential bc break, and the new exception is only thrown in a situation that would already throw an exception.

Committed 2c84141 and pushed to 9.2.x. Thanks!

effulgentsia’s picture

effulgentsia commented
Issue tags: +9.2.0 release notes

Per #11.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.