Doctrine 1 allowing SQL Injection?

Question

I found this code on a legacy app:

$salt = $this->generateSalt();
$new_pass_update = Doctrine_Query::create()
  ->update('User')
  ->set('password', '"'. $this->hash($newPass, $salt) .'"')
  ->set('salt', "sleep(10)")    // $salt)  <- I replaced this
  ->where('email = ?', array($mail))
  ->getDql();                
die($new_pass_update);

I was shocked to see this Dql generated as output:

UPDATE User SET password = "3dbe00a167653a1aaee01d93e77e730e" 
salt = sleep(10) WHERE email = ?

First of all, I didn't expect to see the quotation marks around the password value. I thougt that Doctrine would do that for me, so I tried the second argument without them, but I was shocked to see this Dql generated as output:

UPDATE User SET password = "3dbe00a167653a1aaee01d93e77e730e" 
salt = sleep(10) WHERE email = ?

If I change ->getDql() for -> execute() that's exactly the query that is executed and the db sleeps for 10 seconds.

Why is doctrine behaving like this?

I think you’re supposed to pass the value as third parameter: `set('salt', '?', "sleep(10)")`. — Gumbo, Jun 12 '14 at 22:04
Wow, nice catch. Can you please post that as an answer so I can accept it? — Sebastián Grignoli, Jun 12 '14 at 22:16

score 1 · Accepted Answer · answered Jun 13 '14 at 12:17

As Gumbo pointed out, the right API to use with Doctrine 1.* update syntax is:

$new_pass_update = Doctrine_Query::create()
  ->update('User')
  ->set('password', "?", $this->hash($newPass, $salt))
  ->set('salt', "?", $salt)
  ->where('email = ?', array($mail))
  ->execute();

so, the second argument should be "?" and the third one, the associated value.

Doctrine 1 allowing SQL Injection?

1 Answers1