Connection::filterComment

protected Connection::filterComment($comment = '')

Sanitize a query comment string.

Ensure a query comment does not include strings such as "* /" that might terminate the comment early. This avoids SQL injection attacks via the query comment. The comment strings in this example are separated by a space to avoid PHP parse errors.

For example, the comment:

db_update('example')
 ->condition('id', $id)
 ->fields(array('field2' => 10))
 ->comment('Exploit * / DROP TABLE node; --')
 ->execute()

Would result in the following SQL statement being generated:

"/ * Exploit * / DROP TABLE node. -- * / UPDATE example SET field2=..."

Unless the comment is sanitised first, the SQL server would drop the node table and ignore the rest of the SQL statement.

Parameters

string $comment: A query comment string.

Return value

string A sanitized version of the query comment string.

File

core/lib/Drupal/Core/Database/Connection.php, line 533

Class

Connection: Base Database API class.

Namespace

Drupal\Core\Database

Code

protected function filterComment($comment = '') {
  // Change semicolons to period to avoid triggering multi-statement check.
  return strtr($comment, ['*' => ' * ', ';' => '.']);
}

Links:

https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Database%21Connection.php/function/Connection%3A%3AfilterComment/8.2.x

doc_Drupal

2016-10-29 08:55:49

Comments