From: Yasuo Ohgaki <yohgaki@php.net>
Date: Mon, 5 Aug 2013 09:24:07 +0000 (+0900)
Subject: Merge branch 'PHP-5.4' into PHP-5.5
X-Git-Tag: php-5.6.0alpha1~340^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cb8d1fc7f913085117da109f89a1e5a6cb535c09;p=php

Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  Fixed bug #62978. pg_select()/etc may allow SQL injection when table name is user parameter, users are able to control table names.
---

cb8d1fc7f913085117da109f89a1e5a6cb535c09
diff --cc ext/pgsql/pgsql.c
index de8bfc880d,ded4a62c58..103a3b87ca
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@@ -6043,14 -6164,14 +6165,14 @@@ PHP_PGSQL_API int php_pgsql_insert(PGco
  		}
  		var_array = converted;
  	}
- 	
+ 
  	smart_str_appends(&querystr, "INSERT INTO ");
- 	smart_str_appends(&querystr, table);
+ 	build_tablename(&querystr, pg_link, table);
  	smart_str_appends(&querystr, " (");
- 	
+ 
  	zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(var_array), &pos);
  	while ((key_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(var_array), &fld,
 -					&fld_len, &num_idx, 0, &pos)) != HASH_KEY_NON_EXISTANT) {
 +					&fld_len, &num_idx, 0, &pos)) != HASH_KEY_NON_EXISTENT) {
  		if (key_type == HASH_KEY_IS_LONG) {
  			php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Expects associative array for values to be inserted");
  			goto cleanup;