1.2.1137. Sqlite3 Requires Single Quotes

The escapeString() method from SQLite3 doesn’t escape ", but only '.

To properly handle quotes and NUL characters, use bindParam() instead.

Quote from the PHP manual comments : The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.

<?php

// OK. escapeString is OK with '
$query = "SELECT * FROM table WHERE col = '".$sqlite->escapeString($x)."'";

// This is vulnerable to " in $x
$query = 'SELECT * FROM table WHERE col = "'.$sqlite->escapeString($x).'"';

?>

See also SQLite3::escapeString.

1.2.1137.1. Suggestions

  • Use prepared statements whenever possible

  • Switch the query to use single quote

1.2.1137.2. Specs

Short name

Security/Sqlite3RequiresSingleQuotes

Rulesets

All, Changed Behavior, Security

Exakat since

1.0.10

PHP Version

All

Severity

Major

Time To Fix

Slow (1 hour)

Precision

High

Features

sqlite3

Available in

Entreprise Edition, Exakat Cloud